






























Mediterranean Shipping Company has 
discovered a new form of energy. 


Mediterranean Shipping Company (MSC) is the second-largest container ship line 
in the world, with a database that tracks more than 210 billion transactions a year. 
The company recently upgraded its database to Microsoft® SQL Server® 2008, not 
only to handle this massive load, but also to simplify MSC's database administration 
and help ensure high availability. Which is like a new form of energy for MSC. 

See the whole story at SQLServerEnergy.com 

Microsoft® 

SQL Server‘2008 




INVISIBLE 


"Exchange Server Archiver is almost 100% 
invisible to Outlook end-users. I’d recommend 
this product to anyone who needs to archive 
Exchange email!" 

Matthew Studer Riverside Radiology Associates 



New email archiving for Exchange. Transparent end-user 
experience with an integrated search of both archived and 
non-archived emails. $30 a mailbox. 

Get a free, fully functional 30-day trial at www.red-gate.com 
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21 Recover Your Exchange Server 2007 
Environment in 16 Steps 

Has your Exchange system crashed? Here are the step- 
by-step instructions you need to recover that system 
from beginning to end. 

BY ALAN SUGANO 


FEATURES 


27 Windows 7 in the Enterprise 

Windows 7's new features and enhancements 
are designed to make it attractive to enterprise 
customers. Find out whether they're good enough 
to entice businesses to shell out money for a 
desktop upgrade. 

BY MICHAEL OTEY 

31 Save Your PowerShell Code in 
Profile and Script Files 

PowerShell statements that you enter during a 
session apply only to that session. However, if you 
put your code into profile files or script files, you can 
use that code repeatedly from within the PowerShell 
console without having to re-enter it. 

BY ROBERT SHELDON 

35 Setting Up VPN 
Authentication Via RADIUS 

Learn how to add RADIUS authentication to your 
firewall without breaking or altering the current VPN 
setup. 

BY ERIC B. RUX 

41 Outlook 2007 SP2 Improves 
OST Performance 

Microsoft Office 2007 SP2 addresses a problem with 
OSTs so that you get better performance on large 
mailboxes. 

BYTONY REDMOND 

OFFICE & SHAREPOINT PRO 

47 Integrating External Data 
Sources in SharePoint 

You can use Windows SharePoint Services to pull 
external data into your SharePoint pages, including 
linking multiple data sources. With Microsoft Office 
SharePoint Server, you can also use Excel Services 
and the Business Data Catalog. 

BY JIM BOYCE 


PRODUCTS 

51 New & Improved 

Check out the latest products to hit the 
marketplace. 

PRODUCT SPOTLIGHT: Google's Google Voice 

REVIEW 

Paul's Picks 

Windows Server 2008 Foundation has 
limitations, yes, but what do you expect for a 
$200 server? Plus, why you should wait to buy 
Amazon's Kindle 2. 

BYPAULTHURROTT 

REVIEW 

53 ASUS Eee PC900A 
Netbook 

If you need a low-priced netbook and don't 
mind using Linux, ASUS's Eee PC 900A is a 
good value. 

BY ZACWIGGY 

REVIEW 

Diskeeper 2009 
Professional 

If you're looking to improve performance of 
heavily used office PCs and want a more user- 
friendly application than the built-in Windows 
defragmenter, Diskeeper Professional 2009 is 
worth trying out. 

BY ZACWIGGY 

REVIEW 

Internet Explorer 8.0 

If you've taken a look at recent coverage of IE 
8.0, the consensus is clear: IE 8.0 is a big step 
up over IE 7.0. But can it compare to the latest 
versions of Firefox, Safari, and Chrome? 

BY BRIAN REINHOLZ 

Industry Bytes 

Find out what it takes to become a Microsoft 
MVP, get the in-depth scoop on the legal side 
of creating an email-retention system, and 
learn how Cisco's Unified Computing System 
could shake up the server business. 
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15 Reader to Reader 

Repartition servers with GParted, use DevCon 
to manage devices from the command line, 
and automatically create mappings. 


18 Ask the Experts 

Preserve your Granular Audit Policies, back 
up Windows Server 2008 from the command 
line, and find out why Outlook sometimes 
adds extra lines to messages. Learn about 
digital certificates, set your systems to use 
a domain controller off site, listcmdlets 
in PowerShell, and delegate Hyper-V 
responsibilities. 
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5 SharePoint 
Everywhere 

Unlike many Microsoft products, 
which are losing market share 
to savvy, agile competitors, 
SharePoint has maintained a 
growing dominance among 
enterprise collaboration tools. 
What's SharePoint's secret to success? 



THURROTT I NEED TO KNOW 

9 What You Need 
to Know About 
Windows Server 2008 
SP2 and Vista SP2 

The latest service pack for 
Server 2008 and Vista offers 
improvements IT pros can use, 
including exFAT file-system support improvements, 
Bluetooth 2.1 support, and the ability to slipstream 
the update yourself. 

MINASI I WINDOWS POWER TOOLS 

10 2 Bcdedit 
Troubleshooting Tips 

Two in-the-field experiences with 
Bcdedit result in tips that apply to 
any environment. 
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11 New Features 
in Windows 
PowerShell 2.0 

New cmdlets, operators, and 
variables, along with new 
capabilities such as script 
debugging and background 
jobs, will kickstart your PowerShell scripting. 

MORALES I WHAT WOULD 
MICROSOFT SUPPORT DO? 

13 Administrators' 
Intro to Debugging 

Learn how to work with 
windbg.exe in the Debugging 
Tools for Windows, for those 
times when you can't rely on 
your usual diagnostic tools and 
need a backup troubleshooting plan. 




Access articles online at www.windowsitpro.com. 
Enter the article ID (located at the end of each article) 
in the InstantDoc ID text box on the home page. 
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Read these articles at www.windowsitpro.com. 

Active Directory Growth Tracker 

Learn how to use this script to track Active Directory 
objects so you stay current on your AD numbers. 

—-JimTurner 
InstantDoc ID 101930 


Windows Gatekeeper 

Find out ifWindows OSs include a mechanism to 
block malware from overwriting important system 
files. 

—-Jan DeClercq 
InstantDoc ID 101809 


Outlook Tips & Techniques 

Learn how to prevent existing accounts from 
hindering the creation of new accounts, see what 
happens when Outlook POP mail is delivered to an 
Exchange mailbox with Outlook in Cached Mode, 
configure and update settings for Send/Receive 
Groups, and learn how to delete a PST file recently 
opened in Outlook. 

—William Lefkovics 
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IT PRO PERSPECTIVE 


James 

"Microsoft's approach to the SharePoint 
market has hit pay dirt by focusing less on 
next-generation feature sets and more on 
providing solutions that customers truly need." 



SharePoint Everywhere 

The brightest spot in Microsoft's portfolio 

O n many fronts, Microsoft seems to be a company on 
the defensive these days: Windows Vista adoption by 
businesses has lagged; Windows Mobile is at least a 
generation behind the iPhone on the usability front; 
VMware is continuing to lead the market for virtual¬ 
ization products; and Amazon and Google continue 
to lead in cloud-based development services and Internet search, 
respectively. 

That isn't the case with Microsoft's burgeoning SharePoint 
business, which has rapidly grown to become one of the brightest 
spots in the company's product portfolio. "Microsoft Office Share- 
Point Server 2007 is one of the fastest growing server businesses in 
Microsoft history," a Microsoft spokesperson recently told me. "The 
growth and demand for the product has exceeded our expectations 
and we expect to see continued success in the enterprise space going 
forward." That same spokesperson said that Microsoft has sold more 
than 100,000,000 SharePoint licenses, doubling its partner base to 
over 3,300 certified partners. 

I recently had a chat about the exploding SharePoint market with 
Rick Pleczko, president and CEO of Idera Software, and he credits 
Microsoft's astute marketing strategy with creating the right condi¬ 
tions for growth. "Microsoft did a good job of seeding the market by 
making Windows SharePoint Services (WSS) so accessible," Pleczko 
said. "[IT staff] didn't need to fight the boss to get approval to use a 
free product, so that really enabled proliferation across departments. 
SharePoint is very easy to deploy and implement, and there aren't a 
lot of barriers to entry. It's easy to try, easy to buy." 

Like Idera, dozens of other software publishers have seen the 
rapid growth of the SharePoint market, and they see lots of opportu¬ 
nities to provide tools that help admins deploy, manage, and secure 
their sprawling SharePoint footprints. "In our experience, many 
deployments are still relatively young, so for them migration, deploy¬ 
ment, and backup/recovery are still at the forefront of their organi¬ 
zations' priorities," says Ken Allen, Director of Marketing at Axceler. 
" [We're also] hearing from customers that the use of hosted services 
is on the rise, and we expect to continue to see strong demand for 
security capabilities. Richer applications (such as workflow-enabled 
apps) are coming in as these deployments get more mature." 

Covering the Basics 

In an era where many IT companies—Microsoft included—are hop¬ 
ing to develop the Next Big Thing, Microsoft's approach to the Share- 


Point market has hit pay dirt by 
focusing less on next-generation 
feature sets and more on provid¬ 
ing solutions that customers truly 
need. Just about every IT depart¬ 
ment is tasked with creating some 
form of public folder solution 
that lets employees share files 
and documents throughout an 
organization. Public folders have 
lots of limitations, so the arrival 
of SharePoint—which provided 
a host of features aimed squarely 
at taking document sharing and 
management to the next level— 
found a very receptive audience. "At its core [SharePoint] really is a 
step up from the old shared folder system, but with a more elegant 
content presentation interface," says Scott Gode, Director of Market¬ 
ing at Azaleos. "Companies need a more elegant way to store corpo¬ 
rate information, and SharePoint delivers." 

Looking to the Future 

As popular as SharePoint has become, there are competitive threats 
on the horizon. A host of web-based document file-sharing and col¬ 
laboration tools have emerged in recent years, ranging from Google 
Docs/Sites to web startups such as Ecofiling (www.ecofiling.com) 
and other free and low-cost alternatives. Most lack the tight integra¬ 
tion with other Microsoft products and technologies (e.g., Active 
Directory) that some IT pros demand, so they might not emerge as 
serious contenders to SharePoint's dominance in the segment. 

"The concept of what SharePoint is trying to deliver as a strong 
document management platform coupled with collaborative fea¬ 
tures is definitely here to stay," says Gode. "The question for Micro¬ 
soft is whether or not/how they can continue to learn from the 
market and the competition and adjust and grow the product so that 
they can stay on the leading edge." ^ 

InstantDoc ID 102021 


JEFF JAMES (jjames@windowsitpro.com) is Editor-in-Chief, 

Web Content Strategist for Penton Media's IT Publishing Group. He 
specializes in server operating systems, systems management, and 
server virtualization. 


Talk Back:Tell Us 
What You Think 

We're always eager to hear 
reader feedback on every¬ 
thing we do here at Windows 
IT Pro, so I encourage you to 
let us know what's on your 
mind. Please drop me an 
email at jjames@windowsit 
pro.com, follow me on Twitter 
@jeffjames3, or give me a call 
directly at 970-203-2775. We 
also invite you to participate in 
an online survey about using 
SharePoint, which you can 
access at http://tinyurl 
.com/cajhgt. 
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■READER FEEDBACK 


■ SharePoint FAQs ■ IT in the Cloud 

■ AD Audit Tool ■ Where’s #8? 
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SharePoint FAQs Clarified 

Michael Otey presents a reasonable set of 
points in his Top 10 column, "SharePoint 
FAQs"(March 2009, InstantDoc ID 101148). 
But I'd like to correct a few inaccuracies. 

4. Do I need Microsoft SQL Server to 
use Sharepoint? —Michael writes the follow¬ 
ing: "SharePoint installs what it calls Windows 
Internal Database—actually SQL Server 
2005 Express—which is free." Michael uses 
the term "SharePoint" without distinguish¬ 
ing between Windows SharePoint Services 
(WSS) 3.0 and Microsoft Office Sharepoint 
Server (MOSS) 2007. Here are the facts: The 
Windows Internal Database is what you get 
when you install WSS 3.0 using the Basic 
Installation (or Advanced Installation plus 
Single-Server option). It's a version of SQL 
Server 2005 Express that has no 4GB limit 

in the size of the databases possible. The 
equivalent installation of MOSS 2007 doesn't 
install Windows Internal Database; it installs 
the standard SQL Server 2005 Express with 
the 4GB limit. 

5. What types of documents does 
SharePoint allow collaboration on?— 

Michael's answer suggests that you can store 
only Office documents in SharePoint, but it 
is correct in that full functionality is possible 
only with Office document types (with Office 
2007 offering more in connection with Share- 
Point 3.0 than Office 2003 and so on). 

6. Why should I use SharePoint instead 
of a file share? —The flipside would be, 

"Why shouldn't I use SharePoint instead of a 
file share?"The space that a single document 
takes up when stored in SharePoint as a blob, 
compared with its size in a file system, is only 
one of the reasons against this idea (backup 
times being another). Basically, no one 
should just dump their entire file system into 
a SharePoint system. 

7. Do I have to program in .NET to 
develop SharePoint sites? —Michael's point 


here is valid, but the final sentence is too 
restrictive. Yes, you can enhance SharePoint's 
functionality by writing code, but this code 
doesn't necessarily have to be in the form of 
Web Parts. 

10. What's a good resource for learning 
more about SharePoint? —Beyond Windows 
IT Pro's Office & SharePoint Pro website (www 
.officesharepointpro.com), you'll find many 
terrific books about SharePoint 3.0. Similarly, 
Microsoft has a massive amount of mostly 
well written information on the subject. 

—Mike Walsh 

AD Audit Tool or Change Tracker 

I just finished reading Jim Turner's "Track 
Active Directory Changes" (February 2009, 
InstantDoc ID 100428).The solution is excel¬ 
lent at producing point-in-time snapshots of 
an environment, but I wouldn't want to rely 
on it as an audit tool. 

In the case of the high-level security- 
related groups such as Domain Admins and 
Enterprise Admins, the implementation 
wouldn't capture a change if a user was 
added to one of those groups, that new 
authority was used to perform some action, 
and then the user was removed from the 
group. A group-membership "auditing" 
tool such as this would fail to notice such 
a change if all the changes occurred in- 
between executions of the script. You could 
run the script more often than once a day, 
but that approach only shortens the window 
in which a change could be missed. 

I find that a more secure method to audit 
high-level groups such as these involves the 
auditing ability built in to the Windows OS 
itself. You can then use a process such as 
System Center Operations Manager's Audit 
Collection to consolidate the audit logs to a 
single location for review. 

—David Loder 


Windows IT Pro welcomes feedback about the magazine. Send comments to letters@windows 
itpro.com, and include your full name, email address, and daytime phone number. We edit all 
letters and replies for style, length, and clarity. 


IT in the Cloud 

I'm writing in response to Jeff James's 
IT Pro Perspective column, "Cloud 
Computing" (January 2009, Instant¬ 
Doc ID 100943). As a self-employed IT 
consultant, I've discovered that cloud 
computing can be both a benefit and 
a hindrance. On the benefit side, I 
get a lot of use from my Google Docs 
account while I'm offsite. I have several 
documents that I need constant access 
to, and Google Docs has made that 
possible for me. On the hindrance side, 
I'm wary of websites that offer offsite 
backup services simply because if 
these websites were ever to experience 
downtime, I would face the inability to 
retrieve my data. I'm still a fan of offsite 
storage. However, I perform my offsite 
storage by making a second copy of my 
backup to storage media and storing 
that media at another location. 

—Matthew B. Howell 


The intent of my utility is to assist in auditing; 
it doesn't replace the functionality of a real¬ 
time auditing app. My app uses existing tools 
and doesn't require additional software. It's 
free and works well for showing changes that 
occur on a daily basis, as long as you take daily 
snapshots. If you want real-time auditing, you'll 
have to pay for that. ^ 

—Jim Turner 

InstantDoc ID 101982 


loops! 

Where's the 8th Tip? 

The cover of your April 
2009 issue blares, "8 
Time-Saving IT Tips!" I 
demand a recount! Is this 
a hanging-chad thing? 



-Dimitrios Kalemis 


Ummmmm.. .April Fools?Seriously, we 
regret our counting error. 

—The Editorial Team 
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YOUR SAVVY ASSISTANT 


Humphries 

The missing link to 
IT resources 


Look Out, Outlook: 

Spring Cleaning 

Resources on email retention policies. Exchange, and 
more coming your way 



ONLINE 

windowsitpro.com 


Update Your Data 
Protection 

Learn about Continuous Data 
Protection (CDP), Exchange 2007's 
local and cluster continuous replica¬ 
tion features, and other more robust 
options through third-party offerings. 
Download this white paper today 
and avoid asking your boss, "How 
much data loss is acceptable?" 
windowsitpro.com/go/UpdateDataProtection 

Your Guide to PowerShell for 
Exchange Server 

The Exchange Management Shell 
Toolkit is a solid primer about the 
new management possibilities 
through EMS. Download your copy 
to learn the basics of using Power- 
Shell commands to set up and cus¬ 
tomize EMS, manipulate mailboxes 
and groups, enable local continuous 
replication, and more! 

windowsitpro.com/go/LeftBrain/ 

PowerShellExchange 

Step Up Your Group Policy 
Configuration 

Join industry guru Darren Mar-Elia on 
June 25 for break-through lessons on 
Group Policy. Learn more about the 
inner workings of this critical tech¬ 
nology and expert techniques for 
speeding resolution of Group Policy 
problems. 

windowsitpro.com/go/GroupPolicyeLearning 

Manage Cost with Business 
Process Automation 

Discover the basics of business 

process automation, how BPA 

tools work, and how they can 

benefit both IT and overall 

business efficiencies. Download 

this free eBook today and make 

your enterprise more efficient. 

windowsitpro.com/go/BusinessProcess 

Automation 


T aking it literally, you'd think 
that an email retention policy 
would have something to do 
with actually retaining some 
emails. But when my company 
enforced its new guidelines, it 
involved a whole lot more deleting than 
keeping. My bold resistance soon met 
defeat, followed by pouting and eventu¬ 
ally resulting in understanding. In "Estab¬ 
lishing an Email Retention Policy: The 
IT Perspective" (www.windowsitpro.com, 
InstantDoc ID 101728), I was reminded 
of all the hard work IT heroes put into 
company-wide policy changes like this. So 
in remembrance of the six months worth 
of email messages Ill never see again, here 
are my top six email resources that I hope 
will help you for years to come. 

"Exchange Management Tools Com¬ 
pared" (February 2009, InstantDoc ID 
101054): Find out how Microsoft Exchange 
management tools MessageStats 4.0, PRO- 
MODAG Reports 8.4, and AppAnalyzer 
4.01 match up in William Lefkovics's prod¬ 
uct comparison. See which product best 
assesses over- and underuse. 

"Modernizing Exchange Server 
Backup and Recovery" (March 2009 web- 
exclusive, InstantDoc ID 101488): Brien 
M. Posey offers tips on improving your 
backup system and explains the perfor¬ 
mance and recovery problems with tape 
backup. Learn how disk-to-dislc-to-tape 
backup often offers advanced capabilities 
that you can't achieve through traditional 
backups, and how this solution might be 
right for your organization. 


"Xobni" (March 2009, InstantDoc ID 
101726): Windows IT Pro editor Anne Grubb 
overviews the cool new Outlook add-on 
called Xobni—that's inbox spelled back¬ 
wards. Check out her step-by-step guide on 
how to get started, and find out if this tool 
could help you. 

"What Exchange/Outlook APIs Should 
I Use for Applications?" (March 2009, web- 
exclusive, InstantDoc ID 101503): William 
Lefkovics clears up the "dizzying array of 
APIs and technologies to access Outlook 
and Exchange data for application develop¬ 
ment and design." 

"Virtualizing Exchange 2007 and 
Exchange 2003 with Hyper-V" (April 2009, 
InstantDoc ID 101294): In this subscriber- 
only exclusive article, Brien M. Posey 
overviews what you should consider, the pro¬ 
cesses you can follow, and the requirements 
you need to meet to virtualize Exchange 2007 
and Exchange 2003 with Hyper-V 

Exchange & Outlook UPDATE: This 
free e-mail newsletter is packed with news, 
strategies, products, and developments in 
Exchange Server and Outlook messaging. 
Sign up to receive this weekly resource and 
expert commentaries atwindowsitpro.com/ 
email. 

You can find more Exchange and Outlook 
resources at windowsitpro.com/Microsoft 
ExchangeOutlook, or send me an email 
at Christan.Humphries@penton.com. fust 
make sure to put "Urgent" in the subject 
and add a few flags so it makes it through 
my email retention net! ^ 

InstantDoc ID 101902 
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Now more than ever, you need your money to work harder. With the new generation 
of HP ProLiant G6 Servers with Intel® Xeon® processor 5500 series you dramatically 
improve energy efficiency, flexibility and performance. And more reliability in each 
system means you can reduce business risk as you increase your productivity. 

Decrease your IT support costs to an absolute minimum. HP Insight Control Suite (ICE) 
will help you to reduce operational expenses by up to $48,380 per 100 users.* 
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NEED TO KNOW 


Thurrott 

"Obviously, you'll want to do your own testing, 
but it appears that most environments will 
experience few, if any, issues with this update." 




What You Need to Know About 
Windows Server 2008 SP2 and Vista SP2 


B y the time you read this, Microsoft will have released 
SP2 for both Windows Server 2008 and Windows 
Vista. And yes, the same service-pack executables 
service both systems, thanks to Microsoft's decision 
to lock development of its desktop and server OSs 
to each other. Vista received a major SP1 release a 
year ago, but Server 2008 shipped with the SP1 bits preinstalled. So 
SP2 is, in fact, the first service pack for Server 2008. It's also a more 
traditional service pack that aggregates previously shipped updates, 
adding just a few minor functional changes. Here's what you need to 
know about Server 2008 SP2 and Vista SP2. 

What SP2 Isn't 

Although SP2 services both Vista and Server 2008, it doesn't update 
the initial shipping version of Server 2008 to Server 2008 R2. That 
release will ship in the second half of 2009, adding such features as 
Windows Server 2008 R2 Hyper-V 2.0 with Live Migration, Windows 
PowerShell 2.0, Server Core with ASP.NET (and .NET Framework) 
and PowerShell support, and more. (To learn more about R2, see 
"What You Need to Know About Windows Server 2008 R2," at www 
.windowsitpro.com, InstantDoc ID 101225. 

SP2 Updates for Server 2008 and Vista 

SP2 includes many minor improvements that apply to both Server 
2008 and to Vista. These include the following: 

Windows Search 4.0. Available now as a separate update for 
Vista, Windows Search 4.0 offers better performance, enhanced 
Group Policy support, and the ability to index encrypted files. 

Bluetooth 2.1 support. Also available now as a separate update 
called the Windows Vista Feature Pack for Wireless, this update sup¬ 
ports the latest version of the Bluetooth wireless standard. 

Blu-ray data disk writing. With SP2, you can natively write to 
Blu-ray data disks from the Vista shell. (This functionality doesn't 
include creating Blu-ray movies.) 

exFATfile-system support improvements. Microsoft developed 
the Extended FAT, or exFAT, file system as a more modern file system 
for flash devices such as USB storage. (That is, it overcomes the 4GB 
file size limit from FAT/FAT32 and can handle more than 1,000 files 
in a single folder.) Microsoft added exFAT support to Vista with SP1, 
but with SP2 that support is extended to include UTC timestamps, 
facilitating file synchronization across time zones. 

Wi-Fi improvements. SP2 utilizes Windows Connect Now 
technologies to simplify Wi-Fi configurations (this functionality is 


also available now as part of the Windows Vista Feature Pack for 
Wireless). Wi-Fi connection performance is also improved when 
resuming from Sleep mode. 

VIA 64-bit support. Thanks to SP2, Server 2008 and Vista now 
support 64-bit VIA Technologies microprocessors. 

Power-management improvements. The default power-man¬ 
agement policies in SP2 are approximately 10 percent more efficient 
than before, according to Microsoft. 

Service Pack Clean-Up Tool 

SP2 comes with the Service Pack Clean-up tool (compcln.exe), 
which permanently deletes older versions of the RTM- and SP1- 
based files that SP2 replaces. This saves disk space and can reduce 
the size of future installation images. 

Specific Server 2008 SP2 Updates 

Some SP2 changes are Server 2008-specific. For example, while the 
original shipping version of Server 2008 included a prerelease ver¬ 
sion of Hyper-V, SP2 includes the final shipping version of Hyper-V 
1.0. Hyper-V brings with it one free guest OS installation with Server 
2008 Standard Edition, four free licenses with Server 2008 Enter¬ 
prise Edition, and an unlimited number of free licenses with Server 
2008 Datacenter Edition. SP2 also cleans up some Terminal Server 
license-key issues. 

Recommendations 

SP2 for Server 2008 and Vista is a collection of previously released 
hotfixes and other updates, packaged together for simpler deploy¬ 
ment. Microsoft doesn't expect any major hardware or software 
compatibility issues. 

For deployment purposes, Microsoft will provide versions of 
both OSs that are integrated with SP2, and for the first time since the 
release of Vista, IT pros can easily slipstream the update themselves. 
I've been testing various prerelease versions of SP2 since last year 
and have experienced no problems whatsoever. Obviously, you'll 
want to do your own testing, but it appears that most environments 
will experience few, if any, issues with this update. ^ 
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WINDOWS POWER TOOLS 



Minasi 

"A friend came running up to me, 
looking a bit panicked: An error in his 
Bcdedit typing had left his system 
in a non-bootable state." 


2 Bcdedit Troubleshooting Tips 

Reap the benefits of a bootable WinPE CD and the Truncatememory switch 


T his month, I want to take a final look at Bcdedit, the 
Windows Vista (and later) tool that lets you modify your 
system's boot configuration data (BCD) database. Spe¬ 
cifically, I'd like to share a couple of instances in which 
Fve used Bcdedit as a troubleshooting and system- 
recovery tool and come away with valuable tips that are 
applicable in any environment. 

Tip #1: Make a Bootable WinPE CD or USB Stick 

At a conference, a friend came running up to me, looking a bit 
panicked. After he explained what he'd done, I understood why. He 
was running Vista on his laptop, and he'd just read about all the cool 
things that Bcdedit can do, so he decided to try the command on his 
system. You guessed it: An error in his Bcdedit typing had left his 
system in a non-bootable state. He'd grabbed me because he'd read 
about Bcdedit in my book Administering Windows Vista Security. 

Puzzled, I asked, "Didn't you first create a copy of the working 
Bcdedit OS entry, as I instructed on page 12?" Sheepishly, he admit¬ 
ted that he hadn't, so he couldn't boot his system. In my testing, 
I'd never painted myself into this particular corner, so that meant I 
didn't have a close-to-hand solution—but then I remembered that 
I had a bootable Windows Preinstallation Environment (WinPE) 
CD-ROM in my laptop bag. 

Figuring we couldn't make things any worse, we booted up his 
laptop from the CD-ROM, typed in the Bcdedit command, and lo and 
behold, the BCD database appeared on his hard disk. A quick Bcdedit 
/deletevalue command undid his goof, and the system rebooted like a 
charm. To learn about making a bootable WinPE CD-ROM, check out 
Issue #59 of my Windows Networking Tech Page (www.minasi.com/ 
newsletters/nws0701 .htm). 

Tip #2: Use Truncatememory to Smoke Out a Bad 
Memory Location 

I was on the road again, in my hotel room bright and early, when I 
fired up my laptop and faced a blue screen. Now, I'd seen this blue- 
screen warning before: The system was attempting to load the OS 
into bad memory. I also knew the simple procedure that solves this 
problem most of the time: Open the computer's casing, remove the 
RAM, and reset it. Just one problem: I'd rearranged my travel bag and 
neglected to bring my just-short-enough- to-get-past-airport-security 
Phillips screwdriver, so I couldn't get into the computer to remove the 
small-outline dual-inline memory modules (SO DIMMs). 


That's when I remembered that bootini used to let me instruct 
my computer to boot Windows XP but ignore any RAM past a cer¬ 
tain memory address. That capability would be useful, I reasoned, 
because my laptop has 8GB of RAM, and Vista can run in 512MB if 
necessary. If I got lucky, the troublesome memory address would 
be above 512MB, and I could simply instruct Vista not to use any of 
the memory above 512MB. I booted up my laptop with that WinPE 
CD-ROM, and all was well (pretty much proving that the bottom 
512MB was fine). As I showed you in "Bcdedit Basics" (InstantDoc 
ID 101168) and "Booting Up with Bcdedit" (InstantDoc ID 101362), I 
could use WinPE's Bcdedit to control the way my copy of Vista would 
boot, and I could use the Bcdedit /v command to obtain the GUID of 
the OS entry identifying my system's default boot configuration (i.e., 
{5605e930-fb47-1 Idc-88fe-d235397el82d}). That information let me 
build this command: 

bcdedit /set {5605e9B0-fb47-lldc-88fe-d235397el82d} 
truncatememory 536870912 

On the OS entry identified by the {5605e930-fb47-lldc-88fe- 
d235397el82d} GUID, Bcdedit would now boot the system with the 
restriction that it can't see any RAM above the 536,870,912 th byte 
(512MB = 536,870,912 bytes). 

If this worked, I would demonstrate that the RAM plugged into 
the first half-gigabyte of physical addresses was trouble-free. It did 
work, so I felt bold enough try a few larger values, and I quickly found 
that I was OK for roughly the first 2.5GB. (Those binary searches I 
learned about many years ago sure paid off!) I got the presentation 
done, borrowed a screwdriver from a helpful audience member, and 
was up and running at 8GB in no time. 

Bonus Tip: Software Testing 

Another great use of Bcdedit's Truncatememory switch is software 
testing. Have you ever needed to test an app before you let it loose 
in your environment? Sure, you have. But what if you have 4GB of 
RAM on your desktop, and the average user has 1GB? You could start 
pulling out RAM chips to ensure proper testing—or you could just 
put Truncatememory to good use. ^ 
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Otey TIM 

"PowerShell 2.0 adds several important & ■ 

features to the PowerShell language 
and development experience that make it 

easier to use." 


New Features in Windows PowerShell 2.0 

Remoting, script debugging, and other features fill PowerShell gaps 


I f youVe wanted to take advantage of PowerShell scripting but 
found the learning curve a bit too steep, PowerShell 2.0 might 
be just the ticket. Expected to be released in the second half 
of 2009, PowerShell 2.0 adds several important features to the 
PowerShell language and development experience that make 
it easier to use and fill in some of the gaps that were present in 
PowerShell 1.0. Here are my top ten favorite new features. 

C ^\ New cmdlets—PowerShell 2.0 includes 24 new cmdlets. Some 
) of the cmdlets work with debugging, Windows Management 
Instrumentation (WMI), and background jobs. Out-GridViewis 
one of my favorites; it displays the results of other commands in an 
interactive table so that you can sort and search the data. 


points and step through your scripts using the PowerShell console 
window without needing any graphical development tools. To find out 
more about PowerShell 2.0's script debugging, run the command 

get-help about_debugger 

O Background jobs—PowerShell 1.0 doesn't have the ability to 
run a background process, which makes it tough to replace 
Windows Shell scripts that make use of the Start command. 
PowerShell 2.0's new Start-PSJob cmdlet asynchronously runs 
background jobs on local or remote systems. For more information, 
you can run 

get-help about_psjob 


O New operators—PowerShell 2.0 provides three useful new 
operators. The @ operator (pronounced splat) passes a collec¬ 
tion of parameters; -split breaks a string into an array; and -join 
concatenates multiple strings, adding separators. 

O New built-in variables—PowerShell 2.0 includes four new built- 
in variables. The ScommandLineParameters variable accesses 
command line parameters. $PSVersionTable reports the current 
PowerShell version. $Culture and $UICulture report the current cul¬ 
ture (i.e., the language setting) and UI culture information. 

O Try-Catch-Finally—Following in the footsteps of the other 
.NET languages, PowerShell 2.0 adds the standard Try-Catch- 
Finally structure to the language. You use the Try block to safely 
execute one or more statements. If an error occurs, the code in the 
Catch block will be executed. An optional Finally block contains 
code that is run after the Try-Catch portion completes. 

O PowerShell Hosting APIs—Microsoft has included PowerShell 
scripting support in all its recent server products, including 
Exchange Server 2007, SQL Server 2008, and Windows Server 
2008, as part of its Common Engineering Criteria. The new PowerShell 
Hosting APIs promise to extend PowerShell functionality to other prod¬ 
ucts because they simplify hosting PowerShell in applications. 

O Script debugging—Another important improvement in 
PowerShell 2.0 is its enhanced debugging capabilities. Power- 
Shell 2.0 has a cmdlet-based debugger that lets you set break- 


O ScriptCmdlets—In PowerShell 1.0, you need to program in 
.NET to create new cmdlets. This requirement means that 
typically only developers can make new cmdlets. Powershell 
2.0 lets administrators create ScriptCmdlets using PowerShell itself. 
For more information about creating ScriptCmdlets, run 

get-help about_scriptcmdletparameters 
get-help about_scriptcmdletmethods 

O Remoting—One of the most important changes in PowerShell 
2.0 is support for running scripts on remote systems. PowerShell 
Remoting lets you run scripts on remote networked systems. 
This new remoting support requires that PowerShell 2.0 be installed on 
both the local and remote systems. For more information, run 

get-help about_remoting 

Integrated Scripting Environment—My favorite PowerShell 2.0 
feature is the new Integrated Scripting Environment. ISE is a 
multitabbed graphical PowerShell development platform that 
features color-coded syntax. It also includes debugging capa¬ 
bilities that let you set breakpoints and step through your PowerShell 
scripts. If you've had trouble getting started with PowerShell, ISE will 
definitely kick start your PowerShell scripting. ^ 
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WHAT WOULD MICROSOFT SUPPORT DO? 


Morales 

"When your diagnostic tools are unavailable, 
having a backup troubleshooting plan is vital." 



Administrators' Intro to Debugging 

Get familiar with using the Windows debugger as a backup diagnostic tool 


A s a Windows administrator, you realize the crucial role 
that tools play in helping you diagnose and resolve 
system problems. Previously, I've discussed two 
essential tools that help identify process leaks: user¬ 
mode dump heap (UMDH) and DebugDiag. (See this 
article's Learning Path at www.windowsitpro.com, 
InstantDoc ID 101818, for links to these and my other columns.) 
However, sometimes these tools add too much overhead to the 
system, causing high CPU usage and creating a situation that makes 
running UMDH or DebugDiag impractical. When your diagnostic 
tools fail or become unavailable, the problem becomes much more 
difficult to solve, so having a backup troubleshooting plan is vital. 

Do you have an alternative approach when you can't use your 
regular set of troubleshooting tools? My aim in this article is to pro¬ 
vide you with at least one backup plan and demonstrate the impor¬ 
tance of learning about Windows internals and using the Windows 
debugger to find helpful nuggets of diagnostic information. 

Debugging a Bloated Process 

Recently we resolved a customer issue where wmiprvse.exe (the 
WMI Provider Host process) was consuming increasing amounts 
of memory. The customer provided a dump file to help determine 
the root cause. We started by enabling DebugDiag and UMDH 
separately. However, when each tool ran, we saw that the CPU was 
constantly spiked at 100 percent, thus freezing the system. Since our 
regular troubleshooting tools overstressed the system, we needed to 
turn to our backup plan. 

We had only the 185MB wmiprvse.exe process dump file to help 
us identify why the process had bloated to such a large 
size and what, if anything, the customer could do to 
decrease the memory consumption. First we opened 
the dump file using the windbg.exe debugger included 
in the Debugging Tools for Windows. (You can down¬ 
load the Debugging Tools for Windows at www.micro 
soft.com/whdc/devtools/debugging/defaultmspx.) The 
debugging toolset is a must-have for any administrator 
who wants to dig a little deeper into system problems. 

You can retrieve a lot of information from a dump file by 
using the debuggers without being a debugging expert 
or having a lot of code knowledge. 

To debug the dump file, we followed these steps: 

1. Startwindbg.exe. 


2. Ensure that the Symbol path is set correctly by clicking File, 
Symbol File Path, then typing the following path into the box 
provided: 

s rv*c:\symbols*http://msdl.microsoft.com/down1oad/symbols 

(Symbols are files that translate machine code into easy-to-read 
function calls.) 

3. Open the wmiprvse.dmp file in the Windbg debugger by 
selecting File, then clicking Open Crash Dump. 

We then entered this command in the debugger: 

!address -summary 

This is a handy command because it provides a summary of the 
type of memory consumed within the process, as you can see in 
Figure 1. 

The most important column in the output is the Pct(Busy) 
column, which represents the type of memory consumed on a 
percentage basis. We quickly scanned this column and identified 
that the RegionUsageHeap memory was the highest consumer at 
74 percent. RegionUsageHeap is the label for heap memory, an area 
of memory reserved for processes to store data. Every process has 
heap memory, which is initially 1MB by default. However, this area 
can grow, and more memory will be allocated for the heap as the 
process requires. 

Understanding that heap memory is where a program stores 
its data was a key component in our investigation. You can think 
of heap memory as a bucket represented as an address of memory 


TotSize ( 

-Usage SUMMARY. 

KB) Pct(Tots) Pct(Busy) 

Usage 

140b000 ( 

20524) : 00.98% 

08.14% 

: RegionUsagelsVAD 

709b8000 ( 

1844960) : 87.98% 

00.00% 

: RegionUsageFree / / 

2636000 ( 

39128) : 01.87% 

15.52% 

: RegionUsagelmage // 

4c0000 ( 

4864) : 00.23% 

01.93% 

: RegionUsageStack aj 

13000 ( 

76) : 00.00% 

00*03% 

: RegionUsageTeb J[ 

b720000 ( 

187520) : 08.94% 

<Z437%) 

: RegionUsageHeap 

0 ( 

0) : 00.00% 

0000% 

: RegionUsagePageHeap 

1000 ( 

4) : 00.00% 

00.00% 

: RegionUsagePeb 

1000 ( 

4) : 00.00% 

00.00% 

: RegionUsageProcessParametrs 

2000 ( 

8) : 00.00% 

00.00% 

: RegionUsageEnvironmentBlock 

Tot: 7fff0000 (2097088 KB) Busy: 0f638000 (252128 KB) 


Figure 1: Output of laddress -summary command 
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■WHAT WOULD MICROSOFT SUPPORT DO? 


G:00Q> 3heap -stat 
HEAP 00700000 
Segments 00000008 
Reserved bytes 08000000 
Committed bytes 06c03000 
VirtAllocBlocks 00000000 
VirtAlloc bytes 00000000 
_HEAP 00090000 

Segments 00000006 

Reserved bytes 02000000 
Committed bytes 00881000 
VirtAllocBlocks 00000000 
VirtAlloc bytes 00000000 
HEAP 00030000 
Segments 00000003 

Reserved bytes 00310000 
Committed bytes 002a 1000 
VirtAllocBlocks 00000000 
VirtAlloc bytes 00000000 

Figure 2: Running Iheap -stat to view highest-to- 
lowest heap address 

where applications store process-specific 
data. Since a process can have several heap 
"buckets," it's important to know which 
bucket you want to explore because not 
every heap will be filled with data and high 
in memory usage. Our goal was to dump 
out the heap bucket consuming the highest 
amount of memory to try to identify some 
clues about why the process was consuming 
so much memory. 

Consulting the Debugger Help File 

As I mentioned, a process will have several 
heap buckets available to explore, so we 
needed a way to conduct a more targeted 
investigation. This is where the debug¬ 
ger Help file (debugger.chm) saved the 
day. When you aren't sure what debugger 
command to use to investigate a problem, 
try searching in debugger.chm for a term 
relevant to your investigation. For example, 
if you search for the term "heap," the first hit 
you receive is the !heap command and all 
the !heap parameters. 

Running the !heap command displays a 
list of heap memory addresses, but this list 
alone wouldn't provide enough information 
to find the heap bucket containing the high¬ 
est amount of memory usage. As I scrolled 
through the !heap parameters, I noticed the 
-stat parameter, which displays heap usage 
statistics. Remembering that our goal was 
to find the heap (or bucket) containing the 
most memory, I ran this command: 



Iheap -stat 

As Figure 2 shows, running this com¬ 
mand displays each heap in descending 
order, from highest to lowest consumer. 
So the first heap displayed is the heap 
address we need to investigate. 

Notice in Figure 2, each heap bucket 
is designated with a specific address. 
The first heap bucket is designated by 
the 00700000 address; the next heap is 
located at address 00090000. The impor¬ 
tant row is Committed bytes —the amount 
of memory committed in this particular 
heap. And we know that heap 00700000 
is the highest-memory-consuming heap 
because the -stat parameter displays 
each heap in highest-to-lowest order 
based on memory consumption. For 
further confirmation, we can convert the 
committed bytes hexadecimal number 
06c03000 to decimal either using calc 
.exe (i.e., the Windows calculator) or within 
the debugger by using the ? (Evaluate 
Expression) command, as follows: 

0:000> ?06c03000 

Evaluate expression: 113258496 = 06c03000 

(The second line is the command's output.) 
113258496 is 06c03000 converted into deci¬ 
mal, so this output confirms for us that this 
heap address contains 113MB of memory. 
Considering that the entire process con¬ 
sumed 185MB of memory, we can be fairly 
certain that we're on the right track. We 
know our process is bloating because of 
heap usage, and we know that our highest- 
consuming heap contains 113MB. Now we 
can enter debugger commands that will 
display the contents of this heap, which may 
point to hints about why the process is utiliz¬ 
ing so much memory. Simply displaying the 
heap might not reveal a smoking gun, but 
the information you find could point you in 
the right direction, as it did for us. 

To dump 
out the heap, 
we use the dc 
command 
(which dis¬ 
plays the val¬ 
ues as ASCII 
characters) 
followed by 
the heap 
address. So 


in our case, the command and partial output 
would look like that in Figure 3. 

The output in Figure 3 reveals the begin¬ 
ning part of the heap. Usually you'll need to 
keep dumping out more and more heap (by 
pressing Enter after the initial dc command 
output is displayed), to reveal interesting 
information. Web Figure 1 (at www.windows 
itpro.com, InstantDoc ID 101818) shows the 
section of the dump containing information 
that helped us deduce that our heap mem¬ 
ory was consumed by information gener¬ 
ated by Event Tracing for Windows (ETW). 
Notice we even found the filename and 
location in the dump: D:\AppData\Logs\ 
MST race_20080615_221501_SERVER1 .etl. 

Problem Solved 

Our biggest clue that the data contained in 
the heap was indeed ETW tracing-related 
information was the file extension .etl, 
which is associated with ETW. As it turned 
out, the customer hadn't realized ETW trac¬ 
ing was still enabled for a previous problem 
resolved months before. Turning off ETW 
tracing resolved the customer's problem, 
and the wmiprvse.exe process's memory 
consumption decreased immediately. By 
knowing a few debugger commands and a 
little about OS internals, you can success¬ 
fully troubleshoot when your usual tools 
aren't available. ^ 

InstantDoc ID 101818 


MICHAEL MORALES (morales@microsoft.com) 
is a senior escalation engineer for Microsoft's 
Global Escalation Services team. He specializes 
in advanced Windows debugging and perfor¬ 
mance-related issues. For information about Win¬ 
dows debugging, visit blogs.msdn.com/ 
ntdebugging. 

Special thanks to Venkatesh Ganga, a Micro¬ 
soft senior escalation engineer, who contrib¬ 
uted to this article. 


0:000> dc 00700000 

00700000 000000c8 0000018d eeffeeff 00001002 . 

00700010 00000000 0000fe00 08000000 00002000 . 

00700020 00000200 00002000 000575C7 7ffdefff .u. 

00700030 06080006 00000000 00000000 00000000 . 

00700040 01dl0000 01dl00e0 0000000f fffffff8 . 

00700050 00700050 00700050 00700640 01800000 P.p.P.p.@.p. 

00700060 02610000 029d0000 04380000 05830000 ..a.8. 

Figure 3: Using the dc command to display a heap's contents 
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Repartition Windows Servers 
with GParted 

As many of you probably know, Syman¬ 
tec's Norton PartitionMagic (formerly 
PowerQuest's PartitionMagic) doesn't 
run on Windows servers. There are a 
few expensive commercial partitioning 
programs that will repartition Windows 
servers. However, there's also an open- 
source alternative: Gnome Partition 
Editor (GParted), which is licensed under 
the GNU General Public License (GPL). 

You can download this free utility 
from SourceForge.net (gparted.source 
forge.net). The Documentation page 
(gparted.sourceforge.net/documenta 
tion.php) provides links to detailed infor¬ 
mation on how to install it and use it for 
such tasks as creating, resizing, copying, 
and deleting partitions. 

GParted works great with RAID and 
NTFS partitions. I've run GParted on 
multiple Windows Server 2003 servers 
with RAID 1 and RAID 5 without any 
problems. I had one server on which I 
needed to run the CHKDSK/R command 
before GParted would run. After running 
this command, GParted completed suc¬ 
cessfully. 

Note that because GParted is an 
open-source program, you use it at your 
own risk. Therefore, it's important that 
you create a good backup before you 
run GParted. Failure during repartition¬ 
ing could cripple a server or workstation. 

I have to give credit to Charles Schlue 
for bringing 
this program 
to my atten¬ 
tion. It has 
worked great 
so far. 

—Chris 
Betlach, IT 
Manager, 
Haldeman- 
Homme 
InstantDoc ID 101800 
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Use DevCon to Manage Finicky 
Hardware 

Being an audio enthusiast, I'm an avid user 
of sound cards. For the past couple of years, 
I've had an ongoing battle in getting a 
sound card to work with Windows XP SP2. 
Although I haven't been able to determine 
the root cause of the problem, I recently 
came up with an effective workaround that 
uses DevCon, a utility that lets you manage 
devices from the command line. Although 
I'm using DevCon to manage sound card 
hardware, you can use it to manage other 
types of finicky hardware as well. 

The problem began after I applied SP2 
to my XP workstation two years ago. The PC 
locked up immediately after I typed in my 
credentials and pressed Enter during the 
XP logon. With the assistance of a Microsoft 
support technician, I discovered that the 
Windows Driver Model (WDM) driver (i.e., 
the Windows sound driver) for my Creative 
Labs'Sound Blaster Live! card was the culprit. 

The debugging effort turned out to be 
one of those ordeals in which 
Microsoft said it was a hardware prob¬ 
lem, and the hardware vendor 
said it was a Microsoft prob¬ 
lem. As a workaround, 
the Microsoft support 1 
technician found that if I I 

disabled the Creative SB 1 


Live! (WDM) driver in XP's 
Device Manager (devmg- 
mt.msc), I could at least boot 
to the Windows desktop so that 
I could work (without sound, though). 

I later found that I could enable the 
card's WDM driver once the desktop was 
fully loaded. I then had a fully functional 
sound card and a stable PC.The downside 
was that if I forgot to disable the card's 


WDM driver before I shut down the PC, it 
would lock up the next time I logged on. I 
then had to use the PC's reset button, get 
into Windows via Safe Mode, disable the 
driver, and reboot. 

Over the course of the next two years, 

I occasionally experimented with various 
ways to try to fix the problem. I tried the 
usual procedures, such as: 

• Moving the Sound Blaster Live! card 
to different PCI slots in an attempt to 
change the IRQ that the card was using. 

• Using the card's old DOS setup utility to 
manually set a specific IRQ, then setting 
the PC's BIOS to use only that IRQ on a 
specific PCI slot and forcing Windows to 
use that IRQ as well. 

• Attempting to delay the startup of the 
sound service by implementing the 
solution presented in the Microsoft 
article "How to delay loading of spe¬ 
cific services" (support.microsoft.com/ 
kb/193888). 

None of these solutions worked, so I 
replaced the Sound Blaster Live! card with a 
new Plug and Play (PnP) sound card. 
^ The new card had a different 
chipset (i.e., C-Media Electron¬ 
ics'C-Media) and different 
WDM driver. Surprisingly, I 
experienced the same prob¬ 


lem with the new card. Since 
I preferred the Sound Blaster 
Live! card's MIDI wavetable 
samples and What U Hear 
feature, I reinstalled it and 
donated the new sound card to a relative. 

At this point, I decided to automate 
the tasks of enabling the Creative SB Live! 
(WDM) driver after the desktop loaded and 
disabling it before shutdown. I decided to 
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use DevCon because it lets you enable and 
disable devices from the command line. To 
use DevCon, though, I had to get the WDM 
driver's hardware ID. 

To determine the hardware ID for the 
WDM driver, I opened up Device Manager, 
double-clicked Sound, video and game con¬ 
trollers, right-clicked the Creative SB Live! 
(WDM) entry, and selected Properties. 

In the WDM driver's properties page, 

I clicked the Details tab. The first item in 
the Property drop-down list was Device 
Instance ID.The box directly underneath 
the drop-down list showed that ID, 
which was PCI\VEN_1102&DEV_0002\ 
SUBSYS_00211102&REV_03.... (I truncated 
it to save space.) The first part of the device 
instance ID provided the hardware ID. It 
specified that the driver had a physical PCI 
bus interface, the vendor was 1102 (i.e., 
Creative Labs), and the vendor's ID for the 
device was 0002. The balance of the device 
instance ID (anything to the right of 0002) 
wasn't needed to use DevCon to enable 
and disable the driver. If you're unfamiliar 
with hardware IDs and device instance IDs, 
check out Table 1. More detailed informa¬ 
tion can also be found in the Microsoft ar¬ 
ticles "Device Identification Strings" (msdn 
.microsoft.com/en-us/library/ms791083 
.aspx) and "Device Management and 
Installation Step-by-Step Guide: Controlling 
Device Driver Installation and Usage with 
Group Policy" (technet.microsoft.com/en- 
us/library/cc731387.aspx). 

Next, I used Notepad to create a .cmd 
script named BAB's-SoundBlasterLiveOn 
.cmd, which contained the code 

©echo off 

devcon enable "PCI\VEN_1102&DEV_0002" 


I put this script in the C:\Windows folder. 

For my first test, I decided to try to add 
BAB's-SoundBlasterLiveOn.cmd to the Local 
Computer Group Policy Object (GPO) as 
a startup script. After opening the Group 
Policy Object Editor (gpedit.msc), I navi¬ 
gated to Local Computer Policy, Computer 
Configuration, Windows Settings, Scripts 
(Startup/Shutdown). I highlighted Scripts 
(Startup/Shutdown) in the navigation tree, 
selected Startup in the right pane, then 
clicked the Properties link. In the Startup 
Properties dialog box, I added BAB's- 
SoundBlasterLiveOn.cmd. 

After rebooting and logging on, I found 
that my first test didn't work. The PC locked 
up. Apparently, the WDM driver was still 
getting enabled too soon. 

For my second test, I added BAB's- 
SoundBlasterLiveOn.cmd to the OS's All 
Users Startup folder. (I wanted this script to 
run for all users on the PC.) In XP, this folder 
is typically found at C:\Documents and 
SettingsXAII Users\Start Menu\Programs\ 
Startup. I rebooted the PC and logged on. 

In about 15 seconds, I saw a command win¬ 
dow pop up, the WDM driver load, and the 
command window close. Voila—the sound 
card was successfully enabled! 

Now that the sound card was enabled, 

I needed a way to automatically disable 
the card upon shutdown. Using Notepad, I 
created a .cmd script named BAB's-Sound 
BlasterLiveOff.cmd, which contained the 
code 

©echo off 

devcon disable "PCI\VEN_1102&DEV_0002" 

Once again, I put this script in the C:\Win- 
dows folder. 


In this case, the timing of the disable¬ 
ment wasn't as crucial, so I decided to try 
using the Local Computer GPO again. I 
added BAB's-SoundBlasterLiveOff.cmd to 
the Local Computer GPO, but this time I 
added it to the Shutdown Properties dialog 
box. (Highlight Scripts (Startup/Shutdown) 
in the navigation tree, select Shutdown in 
the right pane, then click the Properties 
link.) The GPO-invoked script successfully 
disabled the WDM driver. 

DevCon isn't installed by default in Win¬ 
dows OSs. You can download it from the 
Microsoft article "The DevCon command¬ 
line utility functions as an alternative to 
Device Manager" (support.microsoft.com/ 
kb/311272). The file that you download 
will contain devcon.exe for both 32-bit and 
64-bit Windows OSs. You need to copy the 
appropriate version to your \%system 
root%\system32 directory. After DevCon is 
installed, you can view the command-line 
syntax by running the command 

devcon /? 

in a command-shell window. 

With DevCon, you can use the asterisk 
(*) wildcard. For example, the command 

devcon find PCI\* 

will return the instance IDs and device 
names of the PCI devices currently 
present on the local computer. A similar 
command is 

devcon findal1 pci * 

This command lists all the PCI devices, 
even PCI devices that currently aren't pres- 


Table 1: Common Types of Identifiers for Devices 

Identifier 

Description 

Example 

Device ID 

Vendor-defined identifier that is the most specific, 
identifying a device's make, model, and revision. A 
device has only one device ID. The first ID in a list 
of hardware IDs is referred to as the device ID. 

PCIWENJ 102&DEVJD002&SU BSYS JD0211102&REV_03 

Hardware ID 

Vendor-defined identifier that is less specific than 
the device ID. For example, it might identify a 
device's make and model but not its revision. 

PCI\VEN_1102&DEV_0002 

Instance ID 

System-assigned identifier that distinguishes a 
device from other devices of the same type on a 
machine. 

\3&61 AAA01 &0&50 

Device Instance ID 

System-assigned unique identifier for a device. It 
consists of a device ID followed by an instance ID. 

PCIWENJ 102&DEV_0002&SUBSYS_00211102&REV_ 

3\3&61 AAA01 &0&50 
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Figure 1:The HTA's GUI 


ent (e.g., they've been removed, they're 
software-enumerated devices that don't 
get installed until needed). 

If you want to learn the status of each 
PCI device on the local machine (e.g., run¬ 
ning, disabled), you can run the command 

devcon status @PCI\* 

Perhaps you aren't concerned with PCI 
devices but instead hard drives attached 
to IDE or SCSI interfaces. The easiest way 
I found to list the variety of device types 
present on a machine is 

devcon status * | more 

You can then use the command 

devcon status @ide\* 

to get the status of the IDE interfaces or 

devcon status @scsi\* 

to get the status of the SCSI interfaces. 

These are only a few of the many opera¬ 
tions you can perform with DevCon. It's 
a versatile tool you can use on local and 
remote computers. If you work with devices 
often and you're not familiar with this tool, 
you might want to give it a try. 

—Bret Bennett, president, 
BRET A. BENNETT 
InstantDoc ID 101652 

HTA Automatically 
Creates Mappings 

In the Reader to Reader article "How to 
Determine the Next Available Drive Letter 
When Z Is Already Mapped" (March 2009, 
InstantDoc ID 101215), Simon Zeltser pro¬ 
vides a very handy script that determines 
and maps the next available drive to a net¬ 
work share of your choosing. Because the 
underlying engine is so useful, I incorpo¬ 
rated its functionality in an HTML Applica¬ 
tion (HTA). By converting Simon's script into 
an HTA and by taking advantage of some 
optional arguments of the MapNetwork- 
Drive method of the Windows Script Host's 
(WSH's) WshNetwork object, I was able to 
create a more flexible tool. 

In his script, Simon used the MapNet- 
workDrive method of Windows Script 
Host's (WSH's) WshNetwork object to map 


a drive to a 
network share. 

When he called 
the MapNet- 
workDrive 
method, he used 
the method's 
two required ar¬ 
guments, which 
are the drive 
letter and the 
network share's 
path. The Map- 
NetworkDrive 
method also has 
three optional 
arguments. One 
optional argument lets you specify whether 
you want to make the mapping persistent 
by storing it in the current user's profile. 

The other two optional arguments let you 
specify a user ID and password if you want 
to map a drive under alternate credentials. 

For example, suppose you want to use 
alternate credentials to map the B drive to a 
shared folder named Tools on the UtilServer 
server and you want the mapping to per¬ 
sist. You could use code such as 


Set drive = 

WScript.CreateObject _ 

("WScript.Network") 
drive.MapNetworkDrive B:, _ 

\\UtilServer\tools, True _ 

DomainName\Imallser, MyP@$$w0rd 

In this code, theTrue argument speci¬ 
fies that you want a persistent mapping, 
DomainNameMmaUser represents the 
alternate user ID, and MyP@$$w0rd is the 
password for that user. 

After adapting Simon's 
code so I could create per¬ 
sistent mappings and use 
alternative credentials 
when needed, I incorpo¬ 
rated it into the HTA. (The 
rest of Simon's code is 
virtually untouched, except 
for some error-checking code 
that I added.) You can download this HTA 
by going to the Windows IT Pro website 
(www.windowsitpro.com), entering 101816 
in the InstantDoc ID box, clicking Go, then 


clicking the Download the Code Here but¬ 
ton. You don't need to customize the HTA at 
all before using it. 

As Figure 1 shows, the HTA's GUI is 
straightforward and easy to use. If you 
want to use the credentials with which you 
logged on to create a nonpersistent map¬ 
ping, you just enter the path to the network 
share in the format \\server\share in the top 
input field and click the Maplt button. 

To make the mapping persistent, simply 
select Yes in the Persistent drop-down box. 
When you make a mapping persistent, the 
network share will be mapped when you 
log on again, provided that you have access 
and network connectivity to that share. 

To create a mapping under alternate 
credentials, you need to enter the user ID 
and password of the alternate account. You 
must precede the username with either the 
domain or the server where the account 
resides. An example of this would be My- 
DomainXAItUserlD. 

As I mentioned previously, I made only a 
few changes to Simon's original code. Basi¬ 
cally all I've done to enhance it is to allow 
the various MapNetworkDrive method 
arguments to be supplied through the 
HTA's GUI, which eliminated the need 
to hard-code arguments in the script 
and provided an application that's 
more flexible. My thanks and acknowl¬ 
edgement to Simon for his 
very useful code. ^ 

—Jim Turner, domain 
administrator and 
applications developer, 
Computer Sciences Corporation 
InstantDoc ID 101816 
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■ ASK THE EXPERTS 


■ Granular Audit Policies 

■ Windows Server 2008 

■ Outlook 2007 

■ Digital Certificates 


■ Domain Controllers 

■ Windows PowerShell 

■ Hyper-V 

■ Windows 7 


ANSWERS TO YOUR QUESTIONS 



Q: How can I prevent the Granular 
Audit Policies that I defined on my 
Windows Server 2008 servers from 
being overwritten by the audit 
policies that are defined in my 
default domain GPO? 

Al Granular Audit Policies (GAPs) are a 
new feature introduced in Windows Vista 
and Windows Server 2008. In addition to 
the nine legacy audit policy categories, 
Microsoft created subcategories, for a 
total of 50 different audit policies. You can 
manage auditing either at the category 
level (the original nine policies) or at the 
subcategory level. The Audit Logon Events 
(Logon/Logoff) category, for example, was 
split into the following subcategories: Log¬ 
on, Logoff, Account Lockout, IPsec Main 
Mode, IPsec Quick Mode, IPsec Extended 
Mode, Special Logon, Other Logon/Logoff 
Events, and Network Policy Server. You 
can't set the new audit subcategories via 
Group Policy Object (GPO) settings; you 
must use the Auditpol command-line util¬ 
ity. This means you must run the Auditpol 
command on each computer where you 
want to define GAPs. Run auditpol /? to 
find out more about this command. 


A side effect of the fact that GAPs can't 
be set from GPOs is that they're overwrit¬ 
ten by legacy audit policy settings that 
are enforced through GPOs, such as the 
default domain GPO. If you set a GAP 
on one of your servers using Auditpol, it 
will be overwritten as soon as a GPO is 
enforced on that server. Microsoft pro¬ 
vides a registry value, however, that can 
prevent the legacy audit policy settings 
that are distributed via group policy from 
overriding GAP settings. The registry value 
is SCENoConfigLegacyAuditPolicy and is 
located in HKLM\System\CurrentControl- 
Set\Control\LSA. If this registry value is 
present and set to a non-zero value, the 
legacy audit policy settings will not be ap¬ 
plied if they are set through Group Policy. 
More information about this registry value 
is available in a Microsoft Knowledge Base 
article at tinyurl.com/cg5xrl. 

The SCENoConfigLegacyAuditPolicy 
registry value can also be controlled using 
the following GPO setting, located in the 
Security Options GPO container. 

Audit: Force audit policy 
subcategory settings (Windows 
Vista or later) to override 
audit policy category settings 

If you plan to use GAPs on your Vista and 
Server 2008 domain-joined machines, 
it's a best practice to enable the SCENo¬ 
ConfigLegacyAuditPolicy registry value. 
You should also enforce the GAPs using a 
recurring scheduled task that runs a batch 
file that sets the GAPs using Auditpol. 

—Jan De Clercq 

InstantDoc ID 101810 

Q: Why does Outlook 2007 add 
extra spaces between lines in some 
messages? 




Q. How can I see all the cmdlets 
provided in a Windows Power- 
Shell module? 

A: If you pass the name of a module 
to the Get-Command cmdlet, it will 
show all the cmdlets that are included 
with the module. For example, to list 
all the cmdlets that are part of the 
FailoverClusters module, run the com¬ 
mand 

Get-Command -Module 
FailoverClusters 


—John Savill 

InstantDoc ID 101830 


A! As you probably already know, Micro¬ 
soft removed Internet Explorer (IE) as the 
tool for rendering HTML messages as of 
Outlook 2007. In addition, the Microsoft 
Office Outlook editor was replaced by the 
Microsoft Office Word 2007 editor for com¬ 
posing email messages.This has caused 
some minor inconveniences for people 
who compose HTML-formatted messages. 

I've talked with many users whose 
messages appear to have extra empty 
lines between text where a single blank 
line was intended. This occurs in Microsoft 
Office Outlook 2007 when a user compos¬ 
ing an HTML email message hits the Enter 
key after completing a paragraph. Users 
might also hit Enter to advance the cur¬ 
sor with the intention of leaving a blank 
line between paragraphs. The problem 
arises with Word 2007 generating <p> 
paragraph tags in response to the Enter 
request. In HTML, the <p> tag is rendered 
as double-spaced. This wasn't a problem 
in Outlook 2003, even when Word 2003 
was used as the email editor. The problem 
is especially consistent when the recipient 
is using a web-based mail reader such as 
Gmail or GMX.com. 

The simplest solution, if this is 
perceived as a problem at all, is to use 
Shift+Enter when ending a paragraph or 


18 JUNE 2009 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 











ASK THE EXPERTS ■ 


creating space between paragraphs. The 
Word 2007 editor built into Outlook 2007 
will generate a <br> tag for Shift+Enter. 
The <br> tag represents a line break in 
HTML and won't be rendered as a double 
space when viewing the HTML-formatted 
message. 

—William Lefkovics 

InstantDoc ID 101505 

Q: How can I grant users the ability 
to manage Hyper-V? 

A! Hyper-V has very granular manage- 
ment delegation capabilities through 
Authorization Manager. You can grant 
users and groups different operation per¬ 
missions over Hyper-V, or just over specific 
virtual machines (VMs). 

You access Authorization Manager by 
creating a custom Microsoft Management 
Console and adding the Authorization 
Manager snap-in. Follow these steps: 

1. From the Start menu, choose Run 
then enter mmc.exe. 

2. From the File menu, select Add/ 
Remove Snap-in. 

3. Select Authorization Manager and 
click Add, then click OK. 

You now need to load the Hyper-V autho¬ 
rization configuration, named InitialStore 
.xml, which is located in the \%System- 


Drive%:\ProgramData\Microsoft\Win- 
dows\Hyper-V folder. Select the Open 
Authorization Store action at the root of 
Authorization Manager, select the XML file, 
enter or browse to the name of the XML 
file, and click OK. 

Authorization Manager will now show 
the Hyper-V authorization configura¬ 
tion, which allows the modification and 
creation of the various Authorization Man¬ 
ager components. The default scope is for 
Hyper-V services, which is all VMs on the 
server. You can see which AD group has 
the role allocated under Role Assignment 
in a role definition. 

A role in Authorization Manager is 
essentially an allocation of various opera¬ 
tions, such as stopping or starting VMs, 
to the named role. For example, I could 
create a ControlVM role and only grant 
the operations to start, stop, pause, and 
resume VMs. 

Note that you also need the Allow Input 
to Virtual Machine, Allow Output from Vir¬ 
tual Machine, and Read Service Configura¬ 
tion permissions, shown in Figure 1, to see 
VMs in the Hyper-V snap-in. 

You also have the Tasks tab, which is 
essentially a way for you to create a group 
of tasks that can then be assigned to roles 
more easily. For example, you could create a 
task containing the control operations and 
then just assign the task to my new role. 

To give a user a role, just 
select Role Assignment and 
use Assign Users and Groups 
to select the users who 
should have the role capa¬ 
bilities. I could add normal 
users to the Administrator 
role to let them manage 
Hyper-V. 

Remember, this is just 
delegating a user the 
permissions to perform 
certain functions. The 
user still requires remote 
access to Windows Man¬ 
agement Instrumentation, 
DCOM, and the firewall 
exceptions for normal 
remote Hyper-V MMC 
snap-in functionality. 

—John Savill 
InstantDoc ID 101831 


ControlVM Definition Properties 
General I Definition 


The tasks and lower-level roles that define this role: 


Name 

Type 

Description 

© Allow Input to Virtual Machine 

Operation 

Authorizes i 

© Allow Output from Virtual Machine 

Operation 

Authorizes ' 

T-J Pause and Restart Virtual Machine 

Operation 

Authorizes [ 

ID Read Service Configuration 

Operation 

Authorizes r 

© Start Virtual Machine 

Operation 

Authorizes ? 

© Stop Virtual Machine 

Operation 

Authorizes; 

i | f>F 


► 


Add... j | Remove 


Authorization Rule... 

OK Cancel Apply 

Figure 1: Permissions needed to see VMs in the Hyper-V 
snap-in 


Q: Why do expired digital certifi¬ 
cates affect messages sent before 
the certificate expired? 

A: This may be obvious, but it's some- 
thing to be aware of if you let your 
digital certificate expire.Typically, digital 
certificates are licensed for terms of a 
year, or multiple years, at a time. Digitally 
signed emails, sent prior to the expiration 
of the digital certificate used to sign them, 
will still generate a certificate error when 
they're opened after the certificate has 
expired. 

If the recipient opens a digitally-signed 
message prior to the expiration date of a 
valid certificate, the message will appear 
fine and show a certification award ribbon. 
If the recipient opens the same message 
after the expiration of the certificate, the 
recipient will see a certificate error in the 
message. A recipient using Microsoft 
Office Outlook will see this alert in the 
header area of the message: There are 
problems with the signature. Click the signa¬ 
ture button for details. Click the signature 
button (a yellow diamond with a red 
exclamation mark, which replaces the cer¬ 
tificate award ribbon) to open a window 
with more information. Click the Details 
button in that window to see the Message 
Security Properties window, which gives 
further information about the certificate. 
This window includes the underlying error, 
which in this case is the certificate used to 
create the signature is no longer valid. From 
the Message Security Properties window, 
you can select View Details and View Cer¬ 
tificate. The View Certificate window will 
indicate when the certificate expired. 

Outlook doesn't provide a built-in 
advanced warning mechanism for expiring 
digital certificates. It's up to you to manage 
the dates, or perhaps set a task to renew 
them in Outlook before they expire. For 
some of my clients, it's important not to 
let any sign of insecurity show to their cus¬ 
tomers. Certificate vendors often provide 
web-based certificate administration for 
administrators to create and issue certifi¬ 
cates. Often those certificate management 
tools will alert administrators prior to client 
certificate expiration dates. 

—William Lefkovics 

InstantDoc ID 101504 
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Q: How do I perform a system state 
backup of my Windows Server 2008 
system from the command line? 

A: To perform a system state backup of a 
Windows 2008 server from the command 
line, use Wbadmin.exe. Wbadmin is the 
command-line utility that comes with 
the new Windows Server Backup utility. 
The Windows Server Backup program 
and associated command-line tool aren't 
installed by default in Server 2008, but 
you can easily add them using the Add 
Features Wizard that is accessible from 
Server Manager. 

In the Add Features Wizard, shown 
in Figure 2, you must select both the 
Windows Server Backup and Command- 
lineTools options under Windows Server 
Backup Features. The backup command¬ 
line tools also require the installation and 
presence of Windows PowerShell on your 
server—Server Manager will automatically 
detect and select Windows PowerShell as 
a required feature when you install the 
backup command-line tools. 

To create a system state backup and 
save it to a local drive, use the following 
command, where d is the drive's letter. 

Wbadmin start systemstatebackup 
-backupTarget:d: 


For more information about Wbadmin, see 
the MicrosoftTechnet command reference 
at tinyurl.com/d252bg. 

—Jan De Clercq 

InstantDoc ID 101812 

Q. How do I add and remove 
features from Windows 7? 

At One benefit of the componentization 
of Windows 7 is the option to remove 
parts of the OS that would previously have 
been thought of as core, such as Inter¬ 
net Explorer and Windows Media Player. 
You can remove these parts by opening 
the Programs and Features Control Panel 
applet and selecting the Turn Windows 
features on or off link. Deselect the vari¬ 
ous features you no longer want on your 
system. 

Note that while the binaries for 
unselected features aren't loaded by the 
OS when it boots, the source files are still 
staged and available on the OS installa¬ 
tion. This means that if you want to add 
the feature back, you don't have to find 
the Windows 7 media. Also note that al¬ 
though the main binaries for the features 
won't be loaded, any APIs they provide 
will still be available for other components 
or applications that need them. 


The features that are newly removable 
in Windows 7 are: 

• Windows Media Player 

• Windows Media Center 

• Windows DVD Maker 

• Internet Explorer 8 

• Windows Search 

• Handwriting Recognition (through the 
Tablet PC Components option) 

• Windows Gadget Platform 

• Fax and Scan 

• XPS Viewer and Services (including the 
Virtual Print Driver) 

—John Savill 

InstantDoc ID 101860 

Q: How do I allow Windows Server 
2008, Windows Vista, and later 
clients to find a domain controller 
(DC) in the nearest non-local site? 

At By default, if a client can't find a DC 
in its local site, then the client will search 
DNS for any DC that publishes generic 
service records, and this DC may be 
located on the other side of the world. 
Server 2008, Vista, and later clients can 
take advantage of the Try Next Closest Site 
feature, which allows the client to use site 
link information to find a DC in the closest 
site instead of at random. This feature is 
disabled by default to maintain default 
behavior with older clients, but you can 
enable it using Group Policy: 

1. Open a Group Policy Object (GPO) or 
create one that's linked to a domain, site, 
or organizational unit with clients you 
want to use Try Next Closest Site. 

2. Navigate to Computer Configura- 
tion\ Policies\AdministrativeTemplates\ 
System\Netlogon\DC Locator DNS 
Records. 

3. Double-clickTry Next Closest Site in 
the dialog and set it to Enabled. Click OK. 
Close the GPO. 

You can also enable Try Next Closest 
Site manually on specific computers via 
the registry by setting (or creating) the 
DWORD registry value HKLM\System\ 
CurrentControlSet\Services\Netlogon\ 
Parameters\Try Next Closest Site to 1. To 
disable, set the value to 0. ^ 

—John Savill 

InstantDoc ID 101829 



Figure 2: Installing the server backup program and associated command-line tool 
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Get up and running whether Exchange is on a 
physical or virtual platform byAianSugano 


The worst fear 

of any Exchange Server 
administrator is a 
complete crash of the 
Exchange server. What 
every administrator 
needs are step-by-step instructions for recovering that Exchange 
system—from beginning to end. So, let's apply that how-to treatment 
to the most difficult scenario of an Exchange recovery, which is the 
inability to replace the crashed Exchange system on the same hard¬ 
ware. You have to rebuild your server on new hardware! 

The rebuild scenario significantly complicates the restoration 
process: You can't restore the OS, system state, and Exchange pro¬ 
gram files because of hardware differences on the new server. Fortu¬ 
nately, most of the configuration details about your dead Exchange 
server are stored in Active Directory (AD), and for the purposes of 
this article, I'll assume that your AD infrastructure is still intact. (If 
that's not the case, you must recover your AD infrastructure before 
rebuilding your Exchange server.) 

If your Exchange server is running as a virtual server guest 
and you have a backup of the virtual server guest disk images, the 
recovery process will be greatly simplified, as you'll see later in 
the article. But even if you're fortunate enough to have Exchange 
running as a virtual server guest, it's still a good idea to know the 
recovery procedures for a failed Exchange server—just in case. This 
article reviews the recovery steps for an Exchange 2007 server with 
the following roles: Mailbox, Client Access, Hub Transport, and 
Management Tools. 

A Basic Exchange-Recovery Scenario 

Writing one foolproof Exchange-recovery scenario is impossible, 


because each Exchange environment is unique. However, you can 
use the following steps as a guideline for your recovery procedures. 
Understand, though, that you'll probably need to modify them to fit 
the needs of your Exchange environment. 

1 • Order the new server replacement—When you're order¬ 
ing your new server, make sure to order an adequate number 
of drives to duplicate the exact same drive letters, with storage 
space on each drive letter equal to or greater than that of the 
original server. If you don't know where Exchange was installed 
on the old server, you can use ADSIEdit.msc (installed 
with the Windows Support Tools or available at www 
.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78- 
8BE1-4E81-B3BE-4E7AC4F0912D) on any server in AD. 

Expand Configuration, CN=Configuration, DC =<domain>, 
T)C=<domain_ext>, CN=Services, CN=Microsoft Exchange, 

CN =<company_name>, CN=Administrative Groups, 
CN=Exchange Administrative Group ( admin_group_id ), 
CN=Servers,CN =<Exchange_Server>. Right-click the server 
name, and select Properties. Select the Show only attributes that 
have values check box, as Figure 1, page 22, shows, and click 
on the Value column to sort by value. Scroll down until you 
see the full path of the Exchange server attributes, and make a 
note of each drive letter and path. You can also view the path 
of each storage group and database on the server by expand¬ 
ing CN =<server_name>, CN=Information Store, CN =<storage_ 
group> and examining the properties of each storage group 
and database stored on the server. As you know, Exchange 2007 
needs a lot of memory. For a relatively small Exchange installa¬ 
tion, I suggest ordering a server that has at least 8GB of memory. 
With the x64 platform and Exchange 2007, more memory equals 
better performance. 
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2. Install the same OS as the failed 
server on the new hardware—Exchange 
2007 will run on Windows Server 2008 x64 
or Windows Server 2003 x64. Install the 
latest service pack with all the patches. 
Avoid the temptation to upgrade the OS 
during the disaster-recovery process. The 
last thing you want to troubleshoot are 
new OS problems that might arise because 
you decided to upgrade the OS during the 
recovery process. Installing the same OS 
reduces the chance of having problems 
with backup, antivirus, or other related 
programs during the recovery process. 

3. Name the new server the same as 
the failed server with the same IP address 
configuration—This step is important 
because when you perform an Exchange 
reinstallation, the system will use the server 
name to gather the failed server's configu¬ 
ration from AD. If you can't remember the 
failed server's name or IP address, you can 
look that up on any DC that's running AD- 
Integrated DNS. 

4. Reset the computer account in 
AD—Before you join the domain, start the 
Microsoft Management Console (MMC) 

AD Users and Computers snap-in, locate 
the Exchange system, right-click it, and 
select Reset. Doing so will let you use the 
old server's name to join the new server to 
the domain. 

5. loin the domain and 
restart the server. 

6. Install server antivi¬ 
rus—If you had antivirus 
protection on the server, 
install the same version on 
the new server. 

7. Stop inbound mail 
flow into the server—Before 
you start the reinstallation 
of Exchange, I suggest stop¬ 
ping inbound mail flow to 
the server. You can typically 
accomplish this at the fire¬ 
wall or spam-filtering appli¬ 
ance. Stopping mail flow 
will prevent you from losing 
any Internet inbound mes¬ 
sages that could be over¬ 
written during the recovery 
process. 

8. Install the necessary 
prerequisites and roles on 
the server for Exchange—If 


you're running Exchange 2007 on Win¬ 
dows 2003, these include MMC 3.0; .NET 
2.0 with SP1; Windows PowerShell; and IIS, 
World Wide Web, and Common Files. If 
you're running the Unified Messaging Role, 
you'll also need: 

• Media Encoder 9 x64 (www 
.microsoft.com/downloads/details 
.aspx?familyid=cc41218d-7e37-4546- 
bfOb-1276959ee3ef) 

• Codex Patch KB917312 (support 
.microsoft.com/kb/917312 

• Core XML 6 Servers (www 
.microsoft.com/downloads/details 
.aspx?FamilyId=993c0bcf-3bcf-4009- 
be21-27e85el857bl) 

If you're running Exchange 2007 on Win¬ 
dows 2008 with the Mailbox, Client Access, 
Hub Transport, and Management Tools, you 
can script these requirements through the 
following commands: 

• Install Windows PowerShell: 

ServerManagerCmd -i PowerShell 

• Run the following commands, in this 
order: 


ServerManagerCmd 
ServerManagerCmd 
ServerManagerCmd 
ServerManagerCmd 
Console 


Web-Server 

Web-ISAPI-Ext 

Web-Metabase 

Web-Lgcy-Mgmt- 
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Figure 1: Sorting by value 


ServerManagerCmd -i Web-Basic-Auth 
ServerManagerCmd -i Web-Digest-Auth 
ServerManagerCmd -i Web-Windows-Auth 
ServerManagerCmd -i Web-Dyn- 
Compression 

• If the server will support Outlook Any¬ 
where clients, install the RPC over 
HTTP proxy by running the following 
command: 

ServerManagerCmd -i RPC-over-HTTP-proxy 

9. Run Setup /rmRecoverServer— 
Installing Exchange 2007 with this switch 
is similar to performing a disaster-recovery 
installation on Exchange 2003. Most of 
the Exchange settings are stored in AD. 

The /rmRecoverServer switch tells the 
Exchange Setup program to query AD for 
the Exchange settings based on server 
name. For more information about run¬ 
ning Setup /rmRecoverServer, refer to the 
Microsoft article "Howto Recover a Lost 
Exchange Server" (technet.microsoft.com/ 
en-us/library/bbl23496.aspx). Setup will 
run through the prerequisite check, and 
if everything is in place, Exchange 2007 
should be installed on your recovered 
server. After a successful installation, 
reboot the server. At this point, you should 
have your Exchange implementation 
restored without any current data. Open 
the Exchange Management Con¬ 
sole (EMC), review everything, and 
verify that the server was properly 
installed. By default, the empty 
Exchange databases dismount after 
the Exchange installation. For any 
databases that you plan to restore, 
select the properties of the database 
and ensure that the This database 
can be overwritten by a restore check 
box is selected. 

10 • Install Exchange anti¬ 
virus—If the failed server was 
running an antivirus package 
for Exchange, reinstall the pack¬ 
age with the latest patches and 
virus patterns. Obtain the latest 
virus patterns before restoring the 
Exchange databases. 

11 • Install the backup agent—If 
the failed server had a backup agent 
installed, reinstall it with the same 
configuration you had on the origi¬ 
nal server. 
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12. Reinstall the SSL certificate—If 
you had a commercial SSL certificate on 
the failed server, you must reinstall it. 

If you didn't export the certificate, have 
your SSL vendor reissue the certificate 
or obtain a new SSL certificate. If you 
have to order a new certificate, make sure 
that you obtain an SSL certificate that's 
capable of multiple identities. Typically, 
you'll need the following identities for the 
SSL certificate: internal Fully Qualified 
Domain Name (FQDN) of the Exchange 
server, external FQDN of the Exchange 
server, and Auto discover. <domain_ 
namo.com. 

13. Install VSS Snapshot Patch 
KB940349—Install the patch located at 
support.microsoft.com/kb/940349. If you 
don't install this patch, the Exchange data- 
base-restore job might fail with the error 
Final error: 0xe00fed5 - A Failure occurred 
initializing for restore. 

14 • Restore the databases to the 
Exchange server—Using your backup 
software, restore the Exchange databases 
to your server. Ensure that the existing 
databases are dismounted; otherwise, the 
restore will fail. Figure 2 shows a restoration 
that uses Backup Exec 12.5. After the restore 
is complete, verify that the database is 
mounted and that the mailboxes and pub¬ 
lic folders were properly restored. (Using 
the EMC, verify that the Do not mount this 
database at startup check box is cleared. 

15 • Reestablish mail flow 
from the Internet. 

16 • Test the restored 
mail server to verify that it's 
properly functioning. This 
process might include—but 
is not limited to—verifying 
Autodiscover functionality, 
ensuring that all mailbox 
and public folder informa¬ 
tion was properly restored, 
checking mail flow to and 
from internal Exchange users 
(as well as to and from the 
Internet), verifying Active- 
Sync functionality, checking 
Outlook Web Access (OWA) 
functionality, ensuring Uni¬ 
fied Messaging functionality 
(if applicable), and verifying 
relay functionality for servers 
that use the Exchange server 


like SharePoint servers and other servers 
that use this server to send mail. 

Exchange Recovery Through 
Virtualization 

Virtualization can greatly simplify the recov¬ 
ery process and reduce the recovery time for 
Exchange. With virtualization, you don't have 
to worry about new hardware, because the 
virtual server guest will always see the same 
hardware no matter what physical hardware 
is running on the virtual server host. 

If your virtualization platform (e.g., 
VMware ESX Server, Microsoft Hyper-V 
Server) can perform an image backup while 
the virtual server guest is still running, you 
can back up the virtual server guest files 
on the virtual server host without taking 
down the virtual server. If your Exchange 
server is virtualized, I suggest obtaining an 
image backup at least once per week, while 
performing "traditional" backups of the 
Exchange server during the week. Assum¬ 
ing that your Exchange server is virtualized 
on a VMware ESX host, the recovery steps 
are as follows: 

1 • Order the new server replacement— 
When you're ordering the new server, 
make sure that the replacement server is 
on the VMware Hardware Compatibility 
Guide (www.vmware.com/resources/ 
compatibility/search.php). Ensure that the 
replacement hardware has the same (or 
greater) capabilities as the failed server in 


terms of CPU, memory, disk, and network 
cards. 

2 . Install ESX Server on the new 
server—Ideally, give the server the same 
name and IP address. Install the latest 
patches on the server. 

3 . Install the ESX host backup agent— 
If necessary, install the ESX backup agent 
software. 

4 . Recreate the virtual server guests— 
Recreate all virtual server guests that were 
on this host with the same configuration, 
but don't create any hard drives for the vir¬ 
tual server guests. 

5 . Restore the *.vmdk files to the host— 
Because the storage group will be different 
on the newly built ESX host, you must redi¬ 
rect each restored *.vmdk file to the proper 
folder. When you restore the *.vmdk files, 
don't restore the directory tree; otherwise, 
the *.vmdk files won't be restored to the 
proper location. You'll probably have to 
create a separate restore job for each vir¬ 
tual server that you restore. 

6 . Associate *.vmdk files with virtual 
server guests—Add the *.vmdk files to the 
virtual server guest. Because the virtualiza¬ 
tion platform creates a hardware-agnostic 
platform for the virtual server guests, the 
virtual server guests will always "see" the 
same hardware platform regardless of the 
physical hardware running on the host. 

7 . Start up the DC guests first—If your 
DCs were virtualized on the failed host, 



Figure 2: A restoration that uses Backup Exec 12.5 
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be sure to start them first and verify that 
they're properly functioning before you 
start any Exchange servers. 

8 * Start up the virtual server Exchange 
guest—Start the virtual server guest and 
verify that it's properly running. 

9 . Restore the latest Exchange data¬ 
base backup by following steps 13 through 
15 in the previous section. 

If you have a spare virtual server host avail¬ 
able, you can reduce the recovery time even 
more by pre-staging the virtual server guest 
files on the host. If the server crashes, you 
can start the virtual servers on the backup 
server, restore the latest Exchange database 
backup, and you're up and running. 

Plan for the Recovery Now! 

Now is the time to test your recovery proce¬ 
dures and document your Exchange envi¬ 
ronment. When all your Exchange users 


are down, you don't want the added stress 
of figuring out the recovery process. Virtu¬ 
alization is a good way to test your recovery 
procedures with a minimum investment in 
hardware and minimal risk to your produc¬ 
tion environment. You should at least docu¬ 
ment the following: 

• Server hardware—Make, model, CPU, 
disk configuration, network configura¬ 
tion, and OS and service-pack level of 
your Exchange server. 

• Exchange server name—Server name, 

IP address, and version of Exchange 
installed on each Exchange server, as 
well as the installed roles of each server. 

• DCs—DC names and locations. 

• Exchange installation location—Drive 
and folder where Exchange is installed. 

• SSL certificate—Export the SSL certifi¬ 
cate, and store it in a safe location. 

• Storage groups and databases, and data¬ 
base locations for each Exchange server. 


• Backup software burned to CD with 
installation keys. 

• Current OS and Exchange software 
burned to CD/DVD. 

Recovering a crashed Exchange server is 
something you hope you never have to do, 
but it's a skill that every Exchange administra¬ 
tor should have. I hope I've provided some 
insight into the necessary steps to gracefully 
recover your Exchange environment. 4^ 

InstantDoc ID 101899 


Alan Sugano 

(asugano@adscon.com) is the 
president of ADS Consulting 
Group, which specializes in net¬ 
working, custom programming, 
Microsoft .NET web development, 
and SQL Server development. 

He's the author of The Real-World 
Network Troubleshooting Manual 
(Charles River Media). 
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2:00 pm EOT - Advanced Techniques for 
Group Policy Troubleshooting 

HOW 

Register at www.WindowslTPro.com/go/ 
elearning/TroubleShootingGroupPolicy 



Learn more about the speaker, sessions, 
and how to reserve your seat at: 
www.WindowslTPro.com/go/elearning/ 
TroubleShootingGroupPolicy 

WindowsITPro 









FEATURE 




Confirming what everyone already knows, a recent 

study by Forrester (www.forrester.com/Research/ 

Document/Excerpt/0,7211,46555,OO.html) showed that 
only 10 percent of businesses have adopted Windows Vista, 
calling Vista "the New Coke." That's not entirely surprising 
considering that Microsoft marketed Vista almost solely to 
consumers. Microsoft assumed that as people adopted Vista 
at home they would compel their businesses to adopt Vista as 
well. However, we all know it didn't turn out that way. Consumers 
found that they couldn't get drivers to make their devices work and 
couldn't get many of their old applications to run, which left such a 
bad taste in their mouth that they weren't about to recommend Vista to 
anyone. Meanwhile, businesses were put off by the hardware and software 
costs required for the upgrade. The ROI just wasn't compelling enough to justify 
the high upgrade cost. 

Coming quickly on the tails of Vista, Windows 7 possesses an array of new features 
designed to make it more attractive to enterprise customers. Is Windows 7 the desktop 
OS that both consumers and businesses have been waiting for? Is it compelling enough 
to entice businesses to shell out money for a desktop upgrade in these tight economic 
times? I'll tackle these questions and more as I take you on a guided tour of Microsoft's 
new Windows 7 release. 



A 


guided 
tour of 
Microsoft's 


Windows 7 vs. Vista 

The first thing to understand about Windows 7 is that it essentially is the next ver¬ 
sion of Vista. Windows 7 isn't something entirely new and different. Rather, the 
core Windows 7 OS is a direct descendant of Vista. All the main Vista features— 
such as the Aero UI, User Account Control (UAC), the revamped Windows KJ ^ I4//1 r 
Explorer, IPv6, and Windows BitLocker Drive Encryption—are carried over 
to Windows 7. Arguably, Windows 7 could be thought of as Vista R2. Like 
you might expect with an R2 release, Microsoft has addressed a lot of the 
problems present in the initial Vista release. Windows 7 offers better 
performance, fewer UAC hassles, and improved application compat¬ 
ibility. In addition, Windows 7 has a simpler set of editions than 
Vista. (For more information about the Windows 7 editions, see the 
web-exclusive article "Windows 7 Editions" at windowsitpro.com/ 
article/articleid/101884/101884.html.) 


by Michael Otey 
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Early Experiences 

New OSs always excite me, so I was eager 
to toss Vista out and give Windows 7 a try. 
Truthfully, my early experience with Win¬ 
dows 7 has been a mixed bag. On the posi¬ 
tive side, I found Windows 7 to be noticeably 
quicker than Vista on the same hardware, 
which for my system means it performed 
roughly equivalent to XP. I did much of my 
early testing on an older desktop system, 
which previously ran XP Professional x64, 
then Vista x64. This system has a 2.5GHz 
CPU and 1.5GB of RAM. This system ran 
well under XP, was ponderous under Vista, 
and was quick again under Windows 7. 

On the negative side, I ran into unex¬ 
pected driver problems. Surprisingly, 
several of the x64 drivers for my NVIDIA 
nForce3 motherboard that worked on Vista 
didn't work on Windows 7. In all fairness, 
this hardware is a generation old but that 
doesn't bode well for customers who might 
be considering using Windows 7 on existing 
XP systems that run on hardware from the 
same generation. 

Overall, I liked Windows 7 way better 
than Vista. But is Windows 7 good enough 
to entice XP users to upgrade? Let's dive in 
and take a closer look at some of the main 
features in Windows 7. 

New Desktop and Start Menu 

While some skeptics say that UI enhance¬ 


ments are just eye candy, it's not that simple. 
The UI makes or breaks the OS. XP's UI 
enhancements made it the corporate stan¬ 
dard for years. Conversely, Vista's Aero hard¬ 
ware requirements hindered its adoption. 
UI improvements can also affect productiv¬ 
ity—big changes can cause a steep learning 
curve. The Windows 7 UI provides many 
benefits over the UI in XP and Vista. 

The Windows 7 Start menu is a lot like 
the Vista Start menu. However, one really 
nice change is that the shutdown and power 
off options have been simplified. While it 
can be customized, Shut Down is the default 
option. Clicking the arrow on the right dis¬ 
plays the Switch User, Log Off, Lock Restart, 
and Sleep options. The eye candy is that the 
Start button shines when you move your 
mouse over it. 

Another really nice change in the Win¬ 
dows 7 desktop is its support for Gadgets. 
Vista requires that all Gadgets run in the 
Sidebar. However, the Sidebar took away an 
annoying amount of screen real estate. With 
Windows 7, the Sidebar isn't gone but you're 
no longer forced to put all your Gadgets in it. 
Gadgets can run directly on the desktop, so 
you can move them wherever you like. 

AeroSnap is also a cool desktop feature. 
When you drag a window to the left edge 
of your display and another window to the 
right edge, AeroSnap automatically aligns 
and resizes the windows so that they each 
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Figure 1: The Windows 7 UI 


fill half the screen. This feature is handy for 
comparing documents and directories. 

New Taskbar and Jump Lists 

Windows 7's new taskbar features enlarged 
icons with no text on a translucent surface. 
One huge distinction between the Windows 
7 and Vista taskbars is that the Windows 7 
taskbar includes both running and nonrun¬ 
ning applications. You can pin an item to the 
Windows 7 taskbar making it a convenient 
application launch pad. 

By default the Windows 7 taskbar 
includes icons for Internet Explorer (IE) 8.0, 
Windows Explorer, and Windows Media 
Player (WMP). Hovering your mouse over a 
closed application's icon provides the appli¬ 
cation's description in a tool tip. Clicking 
that icon launches the application. When 
an application is running, the icon gets a 
subtie border. When you hover the mouse 
over a running application's icon, a group 
of thumbnail images representing each 
open instance of that application appears, 
as Figure 1 shows. (Figure 1 also shows float¬ 
ing gadgets.) If you then move the mouse 
over one of those thumbnail images, that 
instance of the application is displayed on 
the desktop, even if it's minimized. 

Another new feature in the taskbar is 
lump Lists. Right-clicking a taskbar icon dis¬ 
plays a list of the recently used documents. 

Libraries 

Windows Explorer in Windows 7 is very 
similar to the one in Vista. However, a nota¬ 
ble new feature is the inclusion of Libraries. 
Libraries provide a new way to organize 
files. A Library is essentially a metafolder—a 
high level of folder. Unlike standard folders, 
Libraries can incorporate files from multiple 
folders. Each Library can contain files from 
as many folders as you want. Like folders, 
Libraries can be shared. Windows 7 ships 
with four Libraries: Documents, Music, Pic¬ 
tures, and Video. Each Library is optimized 
for its respective data type, which basically 
means the columns displayed in Windows 
Explorer are appropriate for the type of data. 
For instance, the Music Library displays 
the Name, #, Title, and Contributing artist 
columns, whereas the Documents Library 
displays the Name, Date modified, Type, 
and Size columns. You can also create your 
own custom Libraries. I was never a fan of 
the My Documents, My Pictures, My Music 
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Figure 3: The UAC dialog box in Windows 7 


ning scripts on remote 
systems, improved 
Windows Management 
Instrumentation (WMI) 
cmdlets, and support 
for creating ScriptCmd 
lets and running back¬ 
ground jobs. 

The best feature of 
Power Shell 2.0 is the 
new Integrated Scripting 
Environment (ISE). The 
ISE is a multi-tabbed 
graphical PowerShell 
development platform. 
It features color-coded 
syntax and debugging 
capabilities that let you 
set breakpoints and 
single-step through 
scripts. 

The ISE has three 
panes. You use the 
Script Pane to write, 
edit, and debug Power 
Shell scripts. The Com¬ 
mand Pane is where 
you execute Power- 
Shell commands and 
scripts. The Output 
Pane displays the 
results of those com¬ 
mands and scripts. 

Troubleshooting 

Packs 


organization; I found Windows 7 Libraries to 
be a much more flexible and useful organi¬ 
zational tool. You can see the new Windows 
7 Libraries in Figure 2. 

The Windows 7 UI represents an evolu¬ 
tionary jump beyond the Vista UI and makes 
the XP UI seem Spartan and dated. Windows 
7 is Microsoft's best UI to date. Period. 

PowerShell 2.0 

Windows 7 has a lot of additional enhance¬ 
ments beyond the new UI enhancements. 
For improved manageability, Windows 7 
includes the new PowerShell 2.0 release. 
Windows 7 is the first Windows desktop OS 
to include PowerShell as a part of the OS. 
PowerShell 2.0 is 100 percent compatible 
with PowerShell 1.0. Some of the new Power 
Shell 2.0 features include support for run- 


Building on its Power- 
Shell integration, Windows 7 delivers a 
comprehensive troubleshooting platform 
consisting of a set of Troubleshooting Packs, 
which are essentially PowerShell scripts that 
identify and resolve problems. You access 
and run the Troubleshooting Packs through 
the Control Panel Troubleshooting applet. 
Windows 7 ships with 20 built-in Trouble¬ 
shooting Packs. For example, the Audio 
Playback Troubleshooting Pack diagnoses 
problems with the system's sound configu¬ 
ration and audio driver. You can also create 
your own Troubleshooting Packs. 

BranchCache and DirectAccess 

Windows 7 has a number of new enterprise- 
oriented network enhancements. Two of the 
new features, BranchCache and DirectAccess, 
work in conjunction with Windows Server 


2008 R2. When BranchCache is enabled, 
remote users' requests for files stored on a 
Server 2008 R2 machine are routed to locally 
cached copies of the files. This local caching 
can significantly improve file-access perfor¬ 
mance. Server 2008 R2 tracks file changes 
and makes sure that all clients access the 
most current files. BranchCache supports 
Server Message Block (SMB), HTTP, and 
HTTP Secure (HTTPS) file access. Remote 
users don't need to be on the same subnet. 
BranchCache works in two modes: 

• Distributed Cache. In this mode, the 
cached files are kept on other networked 
client computers, so a local server isn't 
required. It uses WS-Discovery to query 
networked clients for local files. This 
mode is good for a limited number of 
remote users. 

• BranchCache. In this mode, the cached 
files are stored on a dedicated local 
BranchCache server. This mode is better 
for 100 or more remote users. 

DirectAccess provides an alternative 
to VPNs for remote access. DirectAccess 
enables organizations to provide secure 
remote connectivity for mobile workers 
without the use of key fobs or SecurlD 
tokens. To use this feature, you need a 
DirectAccess server running Server 2008 
R2. The server must have two network 
cards—one for Internet traffic and one for 
internal connectivity. In addition, Direct 
Access requires IPsec and IPv6. Direct 
Access can work together with Server 2008 
Network Access Protection (NAP) to ensure 
that only secured clients with the required 
patching levels and malware protection are 
allowed to access network resources. 


UAC 

One of the best improvements to Windows 
7 is UAC. Widely reviled in Vista, UAC was 
a great example of a good idea gone wrong. 
UAC's overly enthusiastic prompting caused 
many users (myself included) to disable UAC 
entirely. However, disabling UAC also removes 
the protection it affords. When UAC is dis¬ 
abled, Protected Mode IE is disabled because 
UAC is the protection for the Win32 directory 
as well as file and registry virtualization. UAC 
in Windows 7 is a much more livable experi¬ 
ence. Prompting is much less frequent and 
the level of prompting is configurable using 
the dialog box shown in Figure 3. 
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AppLocker 

UAC is one tool you can use to secure a desk¬ 
top but it's not the only one. AppLocker lets 
you create policies that explicitly control the 
applications and executables (e.g., .exe files, 
scripts, DLLs) that can be installed or run on 
a desktop. Its allow rules limit the execution 
of applications to whitelisted applications, 
blocking all others. Its deny rules permit 
the execution of all applications, except 
those that are blacklisted. AppLocker lets 
you create allow or deny exceptions for spe¬ 
cific applications. It uses digital signatures 
to identify applications and executables, 
which gives you granular control down to 
the version level. For instance, you can set 
up AppLocker to allow only Adobe Reader 
10.0 or later to be executed. AppLocker rules 
can be applied to specific users or groups 
in an organization. AppLocker, which only 
comes with Windows 7 Enterprise Edition, 
can be managed across the enterprise with 
Group Policy. 

BitLocker and BitLocker ToGo 

Introduced with Vista, BitLocker is a great 
security technology for laptops and other 
unsecured physical systems. It lets you 
encrypt your hard drives, thereby securing 
your data in case your laptop is stolen or lost. 
Using BitLocker is easier in Windows 7. You 
no longer have to perform the manual drive 
partitioning that Vista requires. Windows 7 
BitLocker automatically creates and hides a 
200MB partition on your boot drive. You can 
enable BitLocker by simply right-clicking 
your drive in Computer and selecting Turn 
on BitLocker from the context menu. 

Windows 7 extends BitLocker's drive 
encryption capability to USB flash drives 
using a new feature called BitLocker ToGo. 
To access the contents of USB drives 
encrypted with BitLocker ToGo, you need 
to supply a password or pin. Just think about 
how many of these USB drives you have 
(and how many you've lost) and you'll know 
what an important technology this is. 

Like AppLocker, BitLocker and BitLocker 
ToGo are only in Windows 7 Enterprise 
Edition. Although this edition is required to 
encrypt USB drives, lower editions can read 
and write data to encrypted USB drives if 
authorized credentials are provided. Down- 
level clients such as Vista can read from the 
drives if the proper credentials are supplied, 
but they can't write to them. 
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IE 8.0 

Windows 7 includes IE 8.0. After using IE 8.0 
for a little while, I got hooked. I never liked 
IE 7.0, mainly because I found it excruciat¬ 
ingly slow. There's a lot to like in IE 8.0. It's 
fast, which provides concrete evidence of 
how competition from third-party vendors 
can result in improved Microsoft products. 
IE 8.0 features tabbed browsing, Web Slices 
for tracking favorite web content, InPrivate 
Browsing for anonymous web browsing, 
Accelerators for browsing shortcuts, and 
SmartScreen filters that block suspected 
malware and flag phishing sites with a 
red warning screen. There are also lots 
of little improvements such as the ability 
to size your address and search bars and 
easy access to recently closed tabs. Unlike 
Firefox and Google Chrome, IE 8.0 can be 
managed using Group Policy. Although 
some people have reported site incompat¬ 
ibilities, I haven't run into any problems in 
accessing sites. 

Even More 

Feature-wise Windows 7 is a major release, 
and there are more features than I can cover 
here. Some of the other important features 
in Windows 7 include: 

• Action Center. The new Action Center 
provides a central place to view and 
respond to system alerts. 

• Problem Step Recorder. This feature lets 
end users record a series of screen shots 
to document a problem. 

• Windows Recovery Environment. Win¬ 
dows RE, which is installed by default, is 
used to recover from system failures. 

• Boot from VHD. In Windows 7, you can 
mount a Virtual Hard Disk (VHD) just 
like a drive and can even boot from it. 
Each VHD is like a hard drive with a 
primary partition. Boot from VHD is 
useful for setting up multi-boot envi¬ 
ronments. 

• Mobile Broadband. Windows 7 includes 
enhanced Mobile Broadband support. 
The enhancements include plug and 
play (PnP) support for 3G cards and the 
ability to use third-party connection 
managers. The 3G cards show up in the 
Network and Sharing Center. 

• Location-aware printing. Location- 
aware printing enables laptops to select 
the best configured printer based on the 
system's location. 
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Lucky Number 7 

Apart from some minor driver problems, my 
experiences with Windows 7 have been very 
positive. Windows 7 fixes many of the prob¬ 
lems that plagued Vista. Most important, 
Windows 7 restores a level of performance 
that makes your initial experience with the 
new OS a good one. 

If you're using XP and you're already 
considering a desktop upgrade, I recom¬ 
mend bypassing Vista and jumping straight 
to Windows 7, even though there's no in- 
place upgrade from XP to Windows 7. You'll 
have the best experience installing Windows 
7 on new hardware. Windows 7 is everything 
Vista should have been. Windows 7 essen¬ 
tially obsoletes Vista. 

If you're using XP and you want to wait 
a while before you upgrade, the timing of 
that upgrade will probably be driven by 
your hardware replacement cycle. The old 
applications and hardware devices already 
installed on your XP systems will likely face 
compatibility problems with Windows 7. 
Therefore, rolling out Windows 7 when you 
need to get new hardware makes the most 
sense. 

If you've already upgraded to Vista, 
it'll probably be difficult to make a case to 
upgrade to Windows 7. Windows 7 is the 
superior OS and the upgrade path from 
Vista to Windows 7 is an easy one, but if 
you've already made the leap to Vista, you've 
already overcome the migration hurdles 
and it's too soon for most companies to 
undertake another upgrade. Organiza¬ 
tions currently using Vista will probably be 
incorporating Windows 7 primarily as new 
machines are purchased. 

Windows 7 delivers an excellent desktop 
experience. Its UI is much richer than XP's 
UI. The usability and performance is much 
better in Windows 7 than in Vista. For enter¬ 
prise customers, features such as BitLocker, 
BitLocker ToGo, PowerShell 2.0, Trouble¬ 
shooting Packs, Problem Step Recorder, and 
Windows RE make Windows 7 Microsoft's 
best desktop OS to date. ^ 
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The final lesson in the PowerShell 
201 series explores how to make 
PowerShell code last for more than 
just one session 


n Windows PowerShell, any functions, variables, or other language elements that 
you defined during your session will be lost when you exit the PowerShell console. 
However, that doesn't have to be the case. You can use profile files and script files 
to save your code. Profile files make the code available whenever you start Power 
Shell, whereas script files make the code available on demand. 

I'll walk you through how to create both types of files and how to add Pow¬ 
erShell statements to them. I'll also show you howto access the code in profile 
and script files from the console and how to use input parameters in script files. 

With this foundation, you'll be able to create code that meets your specific needs 
and that will ultimately streamline the steps necessary to perform a wide variety of 
administrative tasks. 


Creating a Profile File 

A profile file is a text file with a specific name and path, both of which are predefined by PowerShell. When you 
start PowerShell, it reads existing profile files and loads their code into memory. Any code you define in a profile 
file is available to you during your sessions. For example, if a profile file includes a function, you can call that 
function from the PowerShell console without having to enter that function's code. 
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You must create your 
own profile file. The easi¬ 
est way to do this is to take 
advantage of PowerShell's 
built-in $profile variable. 
This variable stores the fully 
qualified pathname of the 
current user's individual 
profile file. The variable is 
predefined with this infor¬ 
mation whether or not a 
profile file has been created. 
You can view the Sprofile 
value by running the com¬ 
mand 

$profile 


The exact path stored in Sprofile will vary 
depending on the user and the OS. For 
example, in Windows Vista, the path will 
look similar to C :\Users\userl \Documents\ 
WindowsPowerShell\Microsoft.Power 
Shell_profile.ps 1. In Windows XP, the path 
will look similar to C:\Documents and 
Settings\user 1 \My Documents Windows 
PowerShell\Microsoft.PowerShell_profile 
.psl. 

To create a profile file with the 
Sprofile variable, you need to use 
the New-Item cmdlet and specify 
Sprofile as the -path parameter's 
value, as in 


| Microsoft. PowerS he I Lprofile.psi - Notepad 


I ■ I r°i ItaJ 


File Edit Format View Help 


# Retrieve day and date. 

Stoday = Get-Date -displayHint date 

# Retrieve 10 most recent events, 
function events ($1og= M system M ) 

{ 

Get-EventLog Slog -newest 10 

} 


Figure 1: Adding the Stoday variable and the events function to the profile file 


the file doesn't exist, you'll receive an error 
saying that the system can't find the path 
specified. 

Adding Content to a Profile File 

To add content to a profile file, you simply 
enter the statements as you would enter 
them in the PowerShell console. For exam¬ 
ple, you can define a variable such as 

# Retrieve day and date. 

Stoday = Get-Date -displayHint date 

The Stoday variable retrieves the current 


ST Windows PowerShell 


New-Item -path Sprofile 
-itemType file -force 

This command specifies file as the 
-itemType value and includes the 
-force parameter, which overrides 
certain existing restrictions when 
creating the file. For example, if 
the file already exists, the -force 
parameter will overwrite the exist¬ 
ing file. 

After you create the file, you can 
open it by calling Notepad from 
within PowerShell with the code 

Notepad Sprofile 

When you run this command, 
Notepad opens and displays a 
blank file. You can then add Power 
Shell statements to the file. Note 
that if you run this command and 


PS C:\> get-executionpolicy 
Restricted 

PS C:\> set-executionpolicy 
>> remotesigned 
» 

PS C:\> get-executionpoliey 

RemoteSigned 

PS C:\> 


Figure 2: Setting the execution policy 


day and date. When add¬ 
ing code to a profile file, 
it's always good practice 
to include comments that 
specify the purpose of the 
code, like the comment 
shown here (the line pre¬ 
ceded by the number sign). 
PowerShell ignores any 
lines preceded by a num¬ 
ber sign. 

You can add as many 
statements as necessary to 
your profile. For example, 
you can include the function 

# Retrieve 10 most recent events, 
function events C$log="system") 

{ 

Get-EventLog Slog -newest 10 

} 

The events function retrieves the most 
recent 10 events in the specified log. If 
you don't specify a log as an input param¬ 
eter when you call the function, it retrieves 
events from the System log. (For infor¬ 
mation about user-defined functions, see 
“Create Your Own PowerShell Func¬ 
tions," April 2009, InstantDoc ID 
101610.) After you finish entering 
statements in the profile file, save it 
and close Notepad. Figure 1 shows a 
sample profile file. 

To use the profile file, you must 
restart your PowerShell session. 
However, before you do so, you 
should verify PowerShell's current 
execution policy. The execution 


IS" Windows PowerShell 





jJ-Pl. 

PS C:\> Stoday 






Monday, September 10 

l, 2007 




jPS C:\> events ''windows 

powershell" 




iIndex Time 

Type 

Source 

Event ID 

Message 


673 Sep 10 08:42 

Info 

PowerShell 

400 

Engine 

state is changed from 

672 Sep 10 08:42 

Info 

PowerShell 

600 

Provide 

r "Certificate" is St 

671 Sep 10 08:42 

Info 

PowerShell 

600 

Provide 

r "Uariable" is Start 

670 Sep 10 08:42 

Info 

PowerShell 

600 

Provide 

r "Registry" is Start 

669 Sep 10 08:42 

Info 

PowerShell 

600 

Provide 

r "Function" is Start 

668 Sep 10 08:42 

Info 

PowerShell 

600 

Provide 

r "FileSystem" is Sta 

667 Sep 10 08:42 

Info 

PowerShell 

600 

Provide 

r "Environment" is St 

666 Sep 10 08:42 

Info 

PowerShell 

600 

Provide 

r "Alias" is Started. 

665 Sep 10 08:40 

Info 

PowerShell 

400 

Engine 

state is changed from 

664 Sep 10 08:40 

Info 

PowerShell 

600 

Provide 

r "Certificate" is St 

|PS C:S> 







Figure 3: Accessing the $today variable and events function in the profile file 
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policy determines whether a script file can 
run—and a profile file is a type of script file. 
Script files and profile files are text files with 
a .psl extension. By default, PowerShell sets 
its execution policy to Restricted, which 
means that script files will not run and pro¬ 
file files will not load. 

To verify the current execution policy, run 
the command 

Get-ExecutionPolicy 


If PowerShell returns a Restricted setting, as 
Figure 2 shows, you can use the Set-Execu- 
tionPolicy cmdlet to change the execution 
policy. Before you decide which execution 
policy to use, see PowerShell's About Sign¬ 
ing and Execution Policies Help file to view 
details about the four different policies. 
Once you decide on the policy, you can run 
a command such as 

Set-ExecutionPolicy RemoteSigned 

This command sets the execution policy to 
RemoteSigned. After you set the policy, you 
can run the Get-ExecutionPolicy cmdlet 
again to verify that the change was made, 
as shown in Figure 2. 

After you set the execution policy, close 
and reopen PowerShell to start a new ses¬ 
sion in order for the profile to be loaded and 
the code to take effect. 

In the new session, you can access 
the variable and function as you would if 
you had created them at the console. For 
example, to access the $today variable, you 
enter the variable's name in the console like 
this 


$today 

Figure 3 shows the type of results you can 
expect from this command. You can also 
call the events function, which requires 
an event log name as an input parameter, 
as in 

events "windows powershell" 

PowerShell calls the function, passes in the 
parameter value, and returns the results, as 
shown in Figure 3. As you can see, profiles 
provide a useful way for storing code. To 
learn more about profile files, see the "Get¬ 
ting Started" guide that's included with the 
PowerShell installation. 

Creating a Script File 

When you add code to a profile file, Power 
Shell runs that code whenever you open 
the console. Although this might be useful 
for functions and variables, it's not very 
useful for code whose execution you want 
to control. For example, you might want 
to run a script that retrieves data about 
services running on multiple computers 
on the network, but you wouldn't want this 



Figure 4: Running a script file 
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^Windows PowerShell 


PS C:S> 

C:SPSscriptsNs 

eruices.psl *net* 

Status 

Name 

DisplayName 

Running 

Running 

Running 

Running 

Running 

Net logon 
Netman 

Nla 

LmHosts 

Share dflccess 

Net Logon 

Network Connections 

Network Location Awareness <NLA> 

TCP/IP NetBIOS Helper 

Uindows Fireuall/Internet Connectio... 

PS C:\> 

- 



Figure 5: Providing an input parameter value when running a script file 


script to run each time PowerShell starts. In 
such cases, you can save the code in a script 
file, then run that file from the PowerShell 
console when necessary. 

As I mentioned previously, script files 
are text files with a .psl extension. To create 
a script file, you need to create a new text file 
in Notepad, add the code you want to run, 
and save the file with the .psl extension. For 
example, you might add code such as 

# Retrieve running services. 

Get-Service | 

where {$_.Status -eq 'running'} | 

sort -property DisplayName 

to a file in Notepad and save it as Services 
.psl in the C:\PSscripts folder. Services.ps 1 
retrieves a list of running services and sorts 
them by their display names. 

Before you run Services.ps 1 (or any 
other script file) for the first time, you 
should use the Get-ExecutionPolicy cmdlet 
to make sure that PowerShell's execution 
policy allows you to run a script file. Once 
confirmed, you can call Services.ps 1 by 
entering its entire pathname, as in 

C:\PSscripts\Servi ces.psl 

That's all there is to it. The script file will 
run and return results like those shown in 
Figure 4, page 33. 

Note that you can also call a script file 
by dragging it from Windows Explorer to 
the PowerShell console. After you drag the 
script file to the console, press Enter to run 
it. Another way to run it is to change the 
current working directory to the directory 
where the script file is located with a com¬ 
mand such as 

Set-Location C:\PSscripts 


then run the script file with statement 
.\Services.psl 

The period before the backslash tells 
PowerShell to use the current working 
directory. 

Adding Input Parameters to a 
Script File 

Like functions, script files can have input 
parameters. Input parameters let you pass 

"Profile and 
script files can 
contain code that's 
as simple or 
complex as you 
need it to be." 

values to a script file when you call it. To add 
input parameters, you must add a param 
statement to your script file. For example, to 
narrow the list of services that Services.ps 1 
retrieves, you can add a param statement to 
the script file, as in 

# Retrieve running services, 
param ($service="*windows*") 

Get-Service -DisplayName $service | 
where {$_.Status -eq 'running'} | 
sort -property DisplayName 

As the second line shows, a param state¬ 
ment begins with the param keyword, 
followed by one or more parameters in 
parentheses. (You should separate mul¬ 
tiple parameters with commas.) You can 


also define your input parameters with 
default values, as I've done here. Pow¬ 
erShell allows wildcards in parameter 
values. 

Now if you want to call Services.ps 1, 
you enter its full pathname and the desired 
parameter value, with a space between 
them, as in 

C:\PSscripts\Services.psl *net* 

Services.ps 1 will now return any running 
services whose display name includes the 
string net, as shown in Figure 5. If you don't 
include an input parameter, the script file 
will return running services whose display 
name includes the string windows. 

Although the code in Services.ps 1 is 
basic, you can create complex script files 
that perform a variety of actions. And by 
being able to pass in parameter values, you 
can create a single script file that you can 
use in multiple environments and under 
different circumstances. 

Take Advantage of PowerShell's 
Features 

Profile and script files let you easily store 
the various commands and logic you need 
to perform a wide range of administra¬ 
tive tasks. Both types of files are easy to 
implement and maintain, and they can 
contain code that's as simple or complex 
as you need it to be. The more you work 
with PowerShell, the more useful you'll 
find both types of files. However, as is the 
case with any tool, these files are only as 
useful as your knowledge of the underlying 
technology, so the better you understand 
PowerShell and its language, the more 
effectively you can take advantage of profile 
and script files as well as any of the other 
powerful features in PowerShell. ^ 
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Give your 
users 
one less 
password to 
memorize 

by Eric B. Rux 



W l ouldn't it be cool if your users had to remember 
f only one username and password? Just think 
how many fewer Help desk tickets you would 
receive. As weVe moved from Workgroups to NT 
Domains, Active Directory (AD), and “integrated 
services” such as Microsoft Exchange and SQL 
Server, the number of user accounts and passwords 
has declined. But many non-Microsoft technologies 
have authentication mechanisms that are separate 
from AD. One example is a virtual private network (VPN) connection using 
Cisco's PIX/ASA firewall; these user accounts and passwords are stored 
locally on the firewall by default. However, you can add Microsoft's free 
Remote Authentication Dial-In User Service (RADIUS) authentication to 
your firewall without altering your current VPN setup and give your users 
at least one less password to remember. Here's how. 


Setting up the VPN Gateway 

For this article, I used a Cisco PIX 515 with 64MB of memory and 16MB of Flash 
running Cisco PIX Security Appliance Software 8.0(3). I installed and used 
Cisco's free Adaptive Security Device Manager (ASDM) 6.0(2), which gives you 
a GUI to manage Cisco security appliances and firewalls. 

Cisco is discontinuing the PIX 500 series and recommends moving to its 
ASA 5500 series instead. (See Cisco's website for more information at www.cisco 
.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/pix_eos.html.) 
Since the ASA is nearly identical to the PIX, except with more bells and whistles, 
the RADIUS setup is the same as it is with the PIX setup. To authenticate other 
brands of VPN devices, such as Netgear, SonicWall, and others, you'll need to 
check out the documentation for your specific model, but the RADIUS configu¬ 
ration that I describe below should be similar. 

Just like a medical doctor, I live by the mantra “Do No Harm." So it's impor¬ 
tant that I add RADIUS authentication to my firewall without breaking or altering 
the current VPN setup. I want users to be able to continue using the current setup 
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Figure 1 :The IPsec VPN Wizard in Cisco's Adaptive Security Device Manager 



while I add new functionality. To simplify 
the RADIUS setup, I highly recommend 
using the GUI instead of the command 
line. I also recommend documenting every 
setting, IP address, and Secret Key—this 
will help you if you need to troubleshoot 
in the future. To keep track of the settings, I 
created a document called Radius Settings 
(see the PDF at tinyurl.com/c7ezw). The 
top half of the document shows you how 
the Tunnel Group and Pre-shared key values 
relate to the Cisco VPN Client. The bottom 
half shows how to configure PIX/ASA and 
Server 2008/Windows 2003 to point to each 
other for RADIUS authentication. If you 
find that your setup isn't working correctly, 
refer to this document and verify that you 
are referencing the correct Pre-shared key, 
Password, Server Secret Key, and Shared 
Secret. Just by looking at the names, you can 
see how easy it would be to accidentally use 
the wrong information. 

The first step in setting up your VPN 
gateway is to log on to ASDM as a privi¬ 
leged user. For this example, I simply used 
the "Enable” password. ASDM takes a few 
seconds to read the configuration from the 
firewall, then it's ready to go. Click Wizards, 
IPsec VPN Wizard, which Figure 1 shows, 
to get the process started. Click Remote 
Access on the screen that follows, then click 
Next. I prefer the free Cisco VPN client over 
the built-in Windows client, so I leave the 
default setting as is on step 2. 

When you get to step 3, be sure to take 
notes as you will need this information for 
the VPN client later. It doesn't matter what 
you enter for the Tunnel Group Name, so 
just keep it simple and easy to remember. 
The Pre-shared key however, should be a 
complex password. For the examples in 
this article, I'm using simple passwords and 
keys, which is fine for testing but not for a 
production environment. 

Step 4 is the fork in the road and will send 
you down the RADIUS path for VPN authen¬ 
tication. Select the option Authenticate using 
an AAA server group. Click New and fill out 
the screen as Figure 2 shows. This screen 
contains information that you will need 
later, so be sure to take good notes. Because 
we will be using RADIUS to authenticate 
to Active Directory (AD), I call my Server 
Group name "ActiveDirectory." The Server 
IP Address is the address of the server that 
will host the RADIUS service. The Server 


Figure 2: Authenticating using an AAA server group 

Secret Key is a password of sorts that the 
firewall will use to access the RADIUS server 
and ask for authentication confirmation. 
Note that while ASDM uses the term "Server 
Secret Key," Windows 2003 calls the same 
thing a "Shared Secret," which you can see 
if you check the screenshots in the Radius 
Settings PDF, which I mentioned earlier. Be 
sure to write this Server Secret Key down. 
As I mentioned above, my three-character 
Server Secret Key is just for testing; be sure 
to use a complex password in a production 
environment. We'll discuss the Server Secret 
Key in further detail a litde later. 

Continue with the wizard, taking care 
to create a DHCP Pool (or use an existing 


one) in step 6. Assign DHCP details such as 
DNS and WINS in step 7. Be absolutely sure 
to use 3DES in step 8—not only because it's 
much more secure than single DES but also 
because the Cisco VPN client doesn't seem 
to want to work with anything except 3DES. 
Trust me. 

Leave the defaults for step 10 unless your 
company lets users "split-tunnel" (access 
the secure VPN network while simultane¬ 
ously accessing the unsecure Internet). The 
last step should allow you to click Finish 
and apply the configuration to the firewall. 
You are now done with the firewall and can 
move on to the RADIUS setup in Windows 
Server. 
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Figure 3: Registering the server in Active Directory 


IAS/RADIUS Setup 

Now that the firewall is set up, it's time to 
configure Windows Server. You can use 
either Windows Server 2008 or 2003, Stan¬ 
dard or Enterprise Edition. There is a limit 
of 50 RADIUS clients in Standard Edition, 
but the client in this instance is the firewall, 
not the individual users. If you have fewer 
than 50 VPN devices (or other devices that 
you want to authenticate via RADIUS), then 
you can use Standard Edition. If you have 51 
or more, you need to use Enterprise Edition. 
Let's look at howto configure Windows 2003 
first, then Server 2008. 

Windows 2003 

If Internet Authentication Service (IAS) isn't 
already installed, you'll have to do that first. 
IAS is the Microsoft implementation of 
RADIUS. 

Open Add/Remove Programs in the 
Control Panel and click Add/Remove Win¬ 
dows Components. You'll find IAS in the 
Details of Networking Services. After it's 
installed, you'll find a shortcut to IAS in 
Administrative Tools. 

In researching this article, the techni¬ 
cal editors and I had an interesting dis¬ 


cussion about whether 
you should or shouldn't 
install IAS directly on a 
domain controller (DC). 
Experience tells us that it's 
always best to reduce the 
attack surface and keep 
the IAS/RADIUS services 
on a separate server from 
AD. At the same time, we 
couldn't find any Microsoft 
documentation to back up 
our rule-of-thumb. In fact, 
we found two Microsoft 
articles that explain how to 
install IAS onto a DC (see 
“IAS Best Practices" at tech 
net.microsoft.com/en-us/ 
library/cc780683.aspx and 
“Configure the Primary IAS 
Server on a Domain Con¬ 
troller" at technet.micro 
soft.com/en-us/library/ 
cc739414.aspx), with no 
mention of the potential 
risk. 

My recommendation 
stays the same: Keep those 
services on separate servers. You will have to 
make your own assessment. 

You'll need to register the server in AD 
so that it will query AD's user database and 
not the local SAM database (not necessary 
if you installed IAS on a DC, which I do not 
recommend). Open IAS, right-click Internet 
Authentication Service, and choose Register 
Server in Active Directory, which you can 
see in Figure 3. Click OK when prompted 
to authorize the server to read users' dial-in 
properties in AD. 

Now, right-click RADIUS Clients and 
choose New RADIUS Client, which Figure 
4 shows. Enter a friendly name for the cli¬ 
ent, such as “PIX VPN Authentication," and 
the INSIDE IP address of the PIX firewall 
(assuming that you're using that interface). 
Click Next, then type in the Shared Secret 
(aka Server Secret Key) that you configured 
on the firewall in step 4. Use the Radius Set¬ 
tings PDF I mentioned earlier to help you 
keep it straight. Leave the Client-Vendor at 
the default RADIUS Standard. 

The last step is to enable unencrypted 
authentication in the remote access poli¬ 
cies. Yes, I know what you're thinking: 
“Why on earth would I allow my user's 


passwords to be sent unencrypted over the 
network?" 

I had the same question, and I found 
the comfort that I needed after I read RFC 
2865 at www.faqs.org/rfcs/rfc2865. Accord¬ 
ing to the RFC, “transactions between the 
client and RADIUS server are authenticated 
through the use of a shared secret, which is 
never sent over the network. In addition, any 
user passwords are sent encrypted between 
the client and RADIUS server, to eliminate 
the possibility that someone snooping on an 
unsecure network could determine a user's 
password." 

So although the setting specifies “Unen¬ 
crypted Authentication" on the RADIUS 
server, the user's password is encrypted 
using the Server Secret Key/Shared Secret 
between the VPN firewall and the Windows 
RADIUS server. Microsoft recommends a 
“long" shared secret at least 22 characters 
in length. 

Server 2008 

If you're using Server 2008, then the con¬ 
figuration process is a bit more complicated. 
Microsoft has moved the RADIUS services 
from IAS to a new service called Network 
Policy Server. NPS adds a new layer of 
complexity that IAS didn't have. However, 
the new features also considerably enhance 
the overall protection of the network from 
remote and local clients. 

In Server 2008, we need to add a new role 
called Network Policy and Access Services. 
The New Role wizard can be found in the 
Server Manager MMC. Click Add Roles, 
then click Next until you see a screen with 
16 roles. Select Network Policy and Access 
Services, then click Next two times. Click 
Network Policy Server. Clear the check 
box labeled Routing, and make sure only 
Remote Access Service is selected. Leave 
everything else cleared. Click Finish, and 
reboot if prompted. 

When the installation is complete, 
start Network Policy Server via the icon in 
Administrative Tools. The pane on the right 
displays a Getting Started screen. Choose 
RADIUS server for Dial-up or VPN Connec¬ 
tions from the drop-down menu, then click 
Configure VPN or Dial- Up. A new dialog box 
labeled Configure VPN or Dial-Up appears. 
Choose Virtual Private Network (VPN) Con¬ 
nections. I usually leave the default name in 
the Name window at the bottom and add 
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Figure 4: New RADIUS Client screen 
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"PIX" so that it looks like this: PIX Virtual 
Private Network (VPN) Connections. Click 
Next. 

At this point, the process is very similar 
to setting up a RADIUS client on Windows 
2003. Click Add to add a new RADIUS cli¬ 
ent. Remember that the client is the Cisco 
PIX firewall and not an individual user's PC 
or username. 

Give the RADIUS client a friendly name, 
specify the IP address of the Cisco fire¬ 
wall, then enter and document the Shared 
Secret. Click OK to close the properties 
page, then click Next. 

Leave MSCHAPv2 selected and the 
other options cleared. Don't add any groups 
to the Specify User Groups page; click Next. 
Don't add any IP Filters; again, click Next. 
On the Specify Encryption Settings page, 
leave the defaults, and click Next. A realm 
name isn't necessary in this setup, so click 
Next. Review the settings that you specified, 
then click Finish. 

As with Windows 2003, you need to 
enable unencrypted authentication. In the 
Network Policy Server MMC, which should 
already be open at this point, click Expand 
Policies, Network Policies, and double-click 
Connections to other access servers. Click the 
Constraints tab and enable Unencrypted 
authentication (PAP, SPAP). 

Troubleshooting 

Even though setting up a RADIUS server is 
pretty straightforward, you might encounter 
a problem or two. Here are some common 
Event Log errors that I've seen and how to fix 
them. (Note that "2003" denotes Windows 
2003 while "2008" denotes Server 2008.) 

Event ID 2 (2003), 6273 (2008): "The 
user attempted to use an authentica¬ 
tion method that is not enabled on the 
matching network policy ." See whether 
Unencrypted authentication (PAP, SPAP) is 
enabled. This policy can be found in Remote 
Access Policies (2003), or Network Policies 
(2008). Edit the entry Connections to other 
access servers and ensure that the checkbox 
for Unencrypted authentication is selected. 

Event ID2(2003), 6273(2008): "Authen¬ 
tication was not successful because an 
unknown username or incorrect password 
was used." As the explanation in this event 
describes, the user has entered incorrect 
information. Double-check the username 
and password. Unfortunately, this event 


VPN VIA RADIUS* 

can also indicate a mismatch between the 
Server Secret key on the VPN device and the 
Shared Secret on the RADIUS service. If all 
of your users except one are able to authen¬ 
ticate their VPN connections via RADIUS, 
then the Server Secret lcey/Shared Secret is 
fine and you need to concentrate on the user 
experiencing the problem. But if nobody is 
able to log in, then it might be good to verify 
that the Server Secret key/Shared Secret is 
the same. 

Event ID 2 (2003), 6273 (2008): "The 
connection attempt failed because net¬ 
work access permission for the user 
account was denied." The username and 
password are correct, but the user is not 
authorized to dial in. Find the user in Active 
Directory Users and Computers and enable 
Allow Access on the Dial-In tab. This event 
could also mean that the server doesn't have 
access to read the dial-in attribute of the 
user objects in AD. As with the other events, 
to determine the cause, you need to deter¬ 
mine if the problem is affecting one user or 
all users. 

If you set everything up correctly, and 
the user enters in a correct username and 
password, you should receive an Event ID 
1 (2003), 6278 (2008). This event tells you 
which user was granted access and the IP 
address of the VPN device that the user tun¬ 
neled through. 

Try Hand See 

Those are the basic steps in setting up a 
RADIUS server in your enterprise. It might 
seem a bit daunting working with IAS in 
Windows 2003 and NPS in Server 2008. 
But as you set up your first RADIUS server 
and see how the VPN device and Windows 
Server communicate, you will soon real¬ 
ize that the concepts are very simple, and 
you might find yourself looking for more 
network devices to authenticate to AD via a 
RADIUS server. 
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Outlook 2007 SP2 

Improves OST 
Performance 

Microsoft's latest updates provide snappier responses on very large mailboxes 
- by Tony Redmond - 



Microsoft Exchange Server 
administrators don't typically get very 
excited about a Microsoft Office system 
service pack, perhaps because it's usu¬ 
ally someone else that takes care of updating 
software on PCs. However, with Office 2007 SP2, 

Exchange admins—and end users—might have reason to celebrate. 
Office 2007 SP2 includes fixes for a major performance problem in 
Microsoft Office Outlook 2007 that has affected Microsoft Exchange 
Server for years. Even better, because the results of the perfor¬ 
mance work were so good, Microsoft decided to release an update 
for Outlook 2007 SP1 in the February 2009 Cumulative Update 
(support.microsoft.com/?kbid=968009) thatyou can apply immedi¬ 
ately without waiting to roll out the full SP2. Let's take a look at why 
Outlook performance has suffered on large mailboxes and examine 
the improvements that Microsoft has made. 

The Zen of the OST 

MAPI-based Exchange Server clients have always supported the 
Offline Folder file (OST). Back in the mists of time, early versions 
of Outlook and the original Microsoft Exchange Viewer used OSTs 
to synchronize folders for offline access on an on-demand basis. 
Important folders such as the Inbox were synchronized auto¬ 
matically, but if you wanted to use other folders offline, you had to 
configure the client to synchronize them whenever it connected 
to Exchange. Folders in the OST are replicas of the online master 


folders in user mailboxes; the synchro¬ 
nization process keeps the two copies 
aligned. Unlike PSTs, which can be opened 
by any MAPI client, an OST is always linked to 
a specific user mailbox and can be opened only 
by a client that can connect to that mailbox. 

Simple synchronization was sufficient in the era of dial-up 
networking when a 56Kbps connection was something to celebrate. 
A major change occurred when Microsoft introduced Outlook 2003 
alongside Exchange Server 2003 and we entered the era of Cached 
Exchange Mode. Exchange 2003 introduced features such as drizzle¬ 
mode synchronization and a bunch of networking improvements 
that Outlook exploited to capture a complete copy of user mailboxes 
in the OST. This change was great from a user perspective because 
you had a complete copy of your mailbox to work on even when the 
network wasn't available. 

The introduction of Cached Exchange Mode was popular with 
administrators because it facilitated server consolidation. Previ¬ 
ously, clients had to connect to a local Exchange server when suit¬ 
able communications weren't available to allow online access to 
servers in centralized data centers. With Cached Exchange Mode, 
those same clients could connect over extended links and synchro¬ 
nize behind the scenes while users worked with data in the replica 
folders in the OST. Cached Exchange Mode also isolated clients 
from temporary network outages, and the Outlook 2003/Exchange 
2003 combination was more effective in using network bandwidth 
so more clients could work across the same link. 
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■OUTLOOK OST PERFORMANCE 


Maintaining OST Performance 

Cached Exchange Mode remains a tre¬ 
mendously important aspect of Exchange 
design today. However, the OST file struc¬ 
ture wasn't designed to handle the size of 
mailboxes that are now common. OSTs 
cope splendidly when only select folders are 
synchronized from small mailboxes; they're 
much less effective when you synchronize 
all the folders from multigigabyte mailboxes. 
My personal experience is that performance 
erodes after an OST grows to more than 
1.5GB, more than 5,000 items in a folder, or 
more than 20,000 items in the OST, but this 
can vary according to the speed of your PC's 
hard disk (as measured in its ability to trans¬ 
fer data; PCs equipped with solid-state disks 
are typically the fastest, those with 7,200 
RPM standard disks are the next quickest). 
You know an OST is having problems if the 
hard disk indicator of your PC stays con¬ 
stantly lit when Outlook opens a new folder 
or performs other operations that force 
Outlook to access data in the OST. 

An OST is typically between 10 per¬ 
cent and 15 percent larger than its source 
mailbox because of the way that data is 
organized in the file and the internal struc¬ 
tures that index the data. You can't restore 
performance simply by deleting items from 
your online mailbox to reduce the size of 
the OST and the number of items it holds 
because Outlook has to perform some pro¬ 


Figure 1: Forcing Outlook to compact the OST 


cessing to compact the OST. This work 
normally is done when Outlook isn't busy, 
but you can force Outlook to compact the 
OST, as Figure 1 shows. To do so in Outlook 
2007, go to Tools, Account Settings. On the 
Data Files tab, select the OST from the list, 
then select Settings. On the Advanced tab, 
click Offline Folder File Settings, then click 
Compact Now. This operation can take from 
a few seconds to a few minutes to complete 
depending on the size of the OST. 

Even if an OST is as small as it can be, 
it still might not be very efficient because 
internal structures within the OST degrade 
over time. You can run the OST Integrity 
Check tool (Scanost.exe), which Figure 
2, page 44, shows, to check and fix any 
internal problems. The process is roughly 
equivalent to defragmenting a hard disk or 
running the Isinteg utility to perform integ¬ 
rity checks on an Exchange database. See 
the Microsoft article "Scan and repair cor¬ 
rupted Outlook data files" (office.microsoft 
.com/en-us/outlook/HAl 00758311033 
.aspx) for details about what Scanost does 
and how to run it. 

Microsoft introduced Scanost with Out¬ 
look 2007 specifically to deal with OST files. 
Earlier versions of Outlook include Scanpst 
.exe that can repair OSTs and PSTs, and I can 
only conclude that the Scanost program is 
smarter at dealing with internal OST struc¬ 
tures than Scanpst. When Scanost is finished 
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processing, it creates a message in your 
Deleted Items folder to report its activity. Fig¬ 
ure 3, page 44, shows a sample message. 

If an OST still doesn't perform well after 
compacting and scanning, the last thing you 
can try to restore an OST to good health is to 
rebuild it from scratch. Think of this as the 
equivalent to running Eseutil to rebuild an 
Exchange database. You have to exit Out¬ 
look and delete the OST—although people 
who are more cautious might opt to rename 
it instead, just in case—and then restart Out¬ 
look to force the client to recreate the OST. 

Just like you wouldn't recommend that 
Exchange administrators rebuild data¬ 
bases regularly—a task not necessary with 
Exchange 2003 and later, even if the mythi¬ 
cal need persists in the imaginations of 
many—rebuilding OSTs isn't something to 
recommend users do regularly. Re-creating 
an OST can take a few hours depending on 
its size, number of items it contains, and 
the speed of the network connection to the 
Exchange server. You definitely don't want 
to re-create an OST over a slow network 
link or when the server is under heavy load 
because these factors slow processing con¬ 
siderably. 

The Importance of OST Speed 

A rebuilt OST isn't a guarantee of snappy 
performance; the inherent flaws of the OST 
structure when coupled to a large mailbox 
can still condemn you to sluggishness. That's 
why it was so important for Microsoft to 
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TechEd is one of the most 
significant IT conferences of 
the year, and TechEd 2009 
was no exception. A team of 
editors from Windows IT Pro 
and SQL Server Magazine 
covered the show this year. 

Here are some selected 
highlights: 


Did you Attend TechEd 2009? 

Thousands of attendees joined us at TechEd 2009, as did quite a few Windows IT Pro and 
SQL Server Magazine readers. We always like to hear feedback from readers, so let us know 
what you thought of TechEd this year: Drop us an email at letters@windowsitpro.com to 
tell us what you liked (and didn't like) about TechEd 2009. 


a 


ITTV.NET TechEd Coverage 

We've posted all of our TechEd 2009 video coverage on ITTV.net, our 
video-sharing site for IT professionals. You'll see author roundtables, 
vendor booth visits, and other video content from the show floor. 
Have any TechEd video of your own to share? Feel free to create an ITTV.net account and 
upload your own! Visit www.ITTVnet for more details. 


Ms 


2009 Best of TechEd Award Winners! 

Our team of judges examined more than 170 products from doz¬ 
ens of vendors to come up with our Best of TechEd award winners, 
and thousands of attendees also voted for the 2009 Best of TechEd 
Attendees' Pick Awards. See the winners of both awards programs at 
www.windowsitpro.com/awards. 



Live Blogs and Twitter Feeds 

We covered the shows via our blogs and Twitter feeds, so be sure to visit the WindowsTTPro.com 
and SQLmag.com websites and our Twitter accounts for a comprehensive TechEd 2009 recap: 

■ lest of TechEd Awards: www.twitter.com/bestofteched09 

■ Windows IT Pro: www.twitter.com/Windowsitpro 

■ >QL Server Magazine www.twitter.com/SQLServerMag 

■ eff James www.twitter.com/jef5ames3 

■ Amy Eisenberg: www.twitter.com/witproamy 

■ Jheila Molnar: www.twitter.com/sheilamo 
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■OUTLOOK OST PERFORMANCE 



OST integrity Check 


Scanning hierarchy. 



Cancel | 


Repair errors 

Begin Scan Exit 


Figure 2: Running Scanost 


invest some engineering effort to help OSTs 
cope with large mailboxes. Microsoft has 
known for some time that large OSTs per¬ 
form like slow pigs, and it's surprising that 
they didn't address the problem in Outlook 
2007. The growing size of mailboxes and the 
increasing number of mailboxes connected 
to Exchange 2007 and Exchange 2003 serv¬ 
ers made the problem more evident. 

In addition, Microsoft needs to make it 
easier for users to have even larger mailboxes 
in the future so that it can compete with 
Google and other online vendors that offer 
free mailboxes in the 5GB to 10GB range. 
Some organizations already run Exchange 
servers with very large mailboxes; a 50GB 
mailbox isn't uncommon for senior corpo¬ 


rate executives, especially those 
who are targets of legal discov¬ 
ery actions. The slowness of 
the OST can make using large 
mailboxes a real pain even if 
you're using the fastest, most 
up-to-date hardware. 

The good news is that the 
fixes now available for Out¬ 
look 2007 SP1 and in Outlook 
2007 SP2 deliver much better 
performance and responsive¬ 
ness for OSTs connected to 
large mailboxes. It's hard to 
measure just how good the 
improvement is because no 
tools are available for this pur¬ 
pose. My nonscientific tests 
show that the beta version of 
Outlook 2007 SP2 spends less 
time causing the hard disk light to come on 
and provides a much more responsive per¬ 
formance with mailboxes of up to 10GB—in 
other words, you definitely experience fewer 
"stutters" when Outlook opens a large folder 
or changes views. I didn't attempt to test a 
mailbox larger than 10GB. I anticipate that 
the final SP2 code will deliver even better 
performance after Microsoft removes the 
debugging code that it usually includes in 
beta software. 

Relieving a Shutdown Problem 

Along with speeding OST performance, 
Outlook 2007 SP2 changes how the program 
shuts itself down. The details are explained 
in "Application Shutdown Changes in Out¬ 



Figure 3: A sample Scanost report 


look 2007 SP2" (msdn.microsoft.com/ 
en-us/library/dd239276.aspx), but basically 
the problem was that Outlook took too long 
to shut down after a user requested the 
application to close. Users would sometimes 
become frustrated that Outlook didn't shut 
down as promptly as they expected, which 
led them to terminate the process using 
Windows Task Manager. 

Forcing Outlook to quit with Task Man¬ 
ager certainly is effective. However, this 
process can cause Outlook to fail to write 
cached data to disk properly and so cor¬ 
rupt the OST. The next time Outlook starts, 
it detects the corruption and fixes it, but 
while Outlook is scanning for problems 
and fixing whatever it finds, it's slower to 
respond to user requests and therefore 
creates the impression of being a perfor¬ 
mance hog. The change to force snappier 
shutdowns makes users happy and stops 
itchy users wanting to kill processes, so all 
in all it's a good thing. 

Upgrade for Better Performance 

It would be nice if every change that Micro¬ 
soft made to Outlook had such an obvious 
and immediately positive effect as the com¬ 
pany managed to do in these updates for 
OST performance. Deploying a new service 
pack or hotfix for any software can be a pain¬ 
ful and costly affair, especially if you lack the 
ability to distribute the new software and 
apply it automatically to all the PCs in your 
organization. It's not always obvious that the 
costs of such an exercise will result in any 
measurable benefit. 

However, if you have the opportunity 
to deploy the February 2009 Cumulative 
Update or Outlook 2007 SP2 in the near 
future, the enhanced performance will 
delight any user whose mailbox is larger 
than 1GB. Given our ability to be human 
packrats and grow mailboxes to sizes that we 
never contemplated a few short years ago, 
better performance and support for large 
mailboxes could be just the reason you need 
to justify the upgrade. ^ 
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Learn to make data connections and display up-to-date information on 
your SharePoint pages by Jim Boyce 


M any companies use SharePoint primarily for 
document collaboration, whether for simple 
sharing or in concert with workflows for docu¬ 
ment processing and approval. Sure, they use 
team calendars and other collaboration features, 
but their main use for SharePoint is as a docu¬ 
ment repository. 

But document collaboration is just one of the struts in SharePoint's 
framework. SharePoint provides not only a rich portal environment, 
but also one with the capability to integrate with back-end systems 
for data rollup and publishing. Let's take a look at some examples of 
how SharePoint can help you display and manipulate external data 
sources. 

Simple Data Connections 

BMC Software's BMC Remedy Action Request System is a popular 
incident and task management system. My team relies on Remedy, 
at least in part, to service task requests and incidents in support of 
the applications and systems that we support. With the exception 
of approving change requests, the majority of my time isn't spent in 
Remedy because I don't actively work tickets. However, I do need 
to keep track of what's going on in the queue for ongoing tasks and 
incidents. That's where SharePoint comes into play. 

Remedy uses a Microsoft SQL Server back-end database to store 
its data. Because SharePoint can connect to and query SQL Server 
databases, it's a relatively easy process to pull Remedy data about 
tasks and incidents into SharePoint. In this case, we pull those items 
from our team queue into our team SharePoint site. Thereafter, team 
members and managers can see what's going on in the queue at a 


glance without needing to open Remedy. The team site also rolls 
up task assignments from SharePoint, targeted to the current user. 
So, for example, when I visit the team site, I see the contents of the 
Remedy queue and a list of any SharePoint tasks assigned to me. 

To integrate external data sources in SharePoint without the use of 
third-party add-ons or writing custom page code, you'll need Micro¬ 
soft Office SharePoint Designer 2007. You'll also need to know the 
credentials you'll use to connect to the back-end database, as well as 
the schema of that database so that you can build appropriate queries 
to pull data from it. Finally, before you start connecting willy-nilly to 
every database in your environment, take performance into account, 
particularly when hitting critical back-end production systems. 
For example, we don't connect directly to our Remedy production 
instance; instead, we connect to a reporting server that is real time 
plus 15 minutes. We give up an acceptable amount of data currency 
to ensure that we aren't affecting the production Remedy system— 
which would make a lot of other teams mad at us! 

To integrate external data, regardless of type, you need to create 
a data connection that defines how to connect to the external data 
source. In SharePoint Designer, open the page on which you want to 
display the data. Select Data View, Manage Data Sources to open the 
Data Source Library in the right pane. Expand the Database Connec¬ 
tions node and click Connect to a database to open the Data Source 
Properties dialog box. Click Configure Database Connection to start 
the wizard of the same name. 

In the wizard, you specify the database server name, provider 
type (in this case, the SQL Server provider), and the authentication 
credentials the connection will use, as Figure 1, page 48, shows. Based 
on these properties, SharePoint Designer builds a connection string 
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Figure 1: Specifying the database server name and credentials for the 
connection 


Filter Criteria | ? f) 


Specify filter criteria to determine which list items are displayed: 



Group Ungroup 

OK | | Cancel 


Figure 2: Filtering the query to obtain the desired recordset 


to the database. If necessary, 
you can select the Use custom 
connection string check box to 
create your own connection 
string. When your connection 
is set, click Next to select the 
target database and the table 
or view from which your data 
will come. Click Finish to cre¬ 
ate the connection and return 
to the Data Source Properties 
dialog box. 

Next, you need to specify 
the fields to be included in 
your query, along with filter 
and sort settings, if any. Click 
Fields to open the Displayed 
Fields dialog box. You can add 
or remove fields as needed, 
then click OK. Unlessyou want 
all records from the database, 
you need to set a filter, so click 
Filter, then click in the Filter 
Criteria dialog box to add a 
filter. In the example that Fig¬ 
ure 2 shows, there are two 
filters: Assigned_Group Con¬ 
tains 'Collab' and Issue_Status 
Not Equal 'Closed.' These two 
filters give us a data set of all 
items assigned to our group 
that aren't closed (i.e., all open 
items for our team). If you want to sort the 
records, click Sort on the Data Source Prop¬ 
erties dialog box, set the sort order, and click 
OK. Then click OK to close the Data Source 
Properties dialog box. 

With the connection in place, you're 
ready to add a Data View Web Part that 
will use the data. Locate the cursor on the 
page where you want the Web part inserted. 
Choose Data View, Insert Data View. Next, 
we need to pull fields into the Web Part, so 
click the drop-down menu beside your newly 
created data source and choose Show Data to 
open the Data Source Details task pane. You 
should see a recordset with fields in the Data 
Source Details pane. Start by dragging one 
field to the Web Part, then click the Web Part 
to select it, click the small right arrow in the 
upper right corner of the Web Part, and click 
Edit Columns from the pop-up menu. Add 
fields and arrange their order as desired, then 
click OK. 

At this point, you should see live records 
from the data set displayed in the Web Part. 


You can apply conditional formatting (such 
as highlighting the Issue_ID field in red for 
SEV1 incidents), specify how many records 
to display, enable sorting and filtering on col¬ 
umn headers, and modify other properties. 

Using Linked Data Sources 

The previous example used a single data 
source—one SQL Server table. With Share- 
Point Designer, you can also link multiple 
data sources and display the results in a Data 
View Web Part. For example, you might dis¬ 
play a couple of SQL Server database tables, 
or an XML file and a SQL Server database, or 
a couple of XML files, and so on. 

When you link data sources in Share- 
Point Designer, you have two choices: merge 
or join. You would choose to merge the 
data when the data sources are similar in 
structure. For example, assume you have 
four inventory databases, one from each of 
your four warehouses. You want to display a 
combined view of the data in SharePoint, so 
you merge the data sources. You would join 


data sources when the data sources 
are dissimilar in schema but have a 
field in common. For example, you 
might use join for a customer database 
and an orders database on a common 
CustomerlD field to show a list of cus¬ 
tomers and recent orders. 

You start by defining the data 
connections for the multiple sources 
as described in the previous sec¬ 
tion. When the data connections are 
defined, expand the Linked sources 
node of the Data Source Library pane 
and click Create a new Linked Source. 
As Figure 3 shows, you choose the data 
sources in the resulting wizard; there¬ 
after you'll choose whether they'll be 
merged or joined and select other 
options based on the data connection 
types. You have more options with 
databases than with other types of 
data. 

The process for adding data to a 
page is much the same as for a single, 
nonlinked data source. You can drag 
fields to a Data View Web Part or click 
Insert Selected Fields As and choose 
a single item view or a multiple item 
view, as needed. For more information 
about creating and inserting linked data 
sources, search SharePoint Designer 
Help for (you guessed it) "linked data 
es." 

A key point to understand at this point is 
that you don't need Microsoft Office Share- 
Point Server (MOSS) 2007 to integrate back¬ 
end data sources. Everything we've covered 
so far can be accomplished with Windows 
SharePoint Services (WSS). 

Using Excel Services 

Excel Services is a feature that works only 
with MOSS 2007; it includes three com¬ 
ponents: Excel Calculation Services (ECS), 
Excel Web Access (EWA), and Excel Web 
Services (EWS). ECS loads the workbook, 
handles calculations, refreshes external data, 
and maintains sessions. EWA is a Web Part 
that enables interaction with the Excel data 
in SharePoint. EWS lets developers build 
custom applications that integrate with Excel 
workbooks. Excel Services is another tool that 
gives SharePoint a means to integrate exter¬ 
nal data, in this case from Microsoft Excel 
into SharePoint. 

Consider an example: Your company 
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Figure 3: Linking multiple data sources through the Link Data Sources Wizard 


uses a complex Excel work¬ 
book as a project management 
tracking tool to track key issues 
and milestones. Twice a week, 

20 people have a conference 
call to review project status 
and discuss individual project 
items in the workbook. How do 
all of those participants get the 
updated version of the work¬ 
book each time? At the very 
least, the workbook should be 
uploaded to SharePoint so that 
each participant can download 
a copy for the meeting. More 
likely, the workbook is sent by 
email to each recipient, filling 
up the mail store and Inboxes 
alike. A much better solution 
would be to expose the spread¬ 
sheet in SharePoint through Excel Services. 

In this scenario, the project manager 
uploads the workbook to a file server or to 
a SharePoint document library. Then, the 
project manager or a SharePoint administra¬ 
tor or developer creates a portal page or set of 
pages in SharePoint to expose the data from 
the workbook. Instead of passing workbooks 
around twice a week, or even downloading 
the workbook from SharePoint, participants 
can simply browse to the project portal page 
and view project status. Fig¬ 
ure 4 shows an example of a 
project-tracking spreadsheet 
exposed with Excel Services. 

In this situation, Excel 
Services clearly reduces 
the amount of data flowing 
through the company's email 
system. Perhaps more impor¬ 
tant, there is a single source 
of truth for the data—a single 
Excel workbook managed 
and updated by the project 
manager. No longer does 
each person have to worry 
about whether they have the 
most current version—they 
just need to visit the portal. 

Using the BDC 

The Business Data Catalog 
(BDC) is a set of components 
in MOSS that lets SharePoint 
integrate with a broad range 
of external data sources, 


including database applications, SAP, Siebel, 
and other line-of-business (LOB) applica¬ 
tions. In effect, the BDC not only serves as 
the communicator between SharePoint and 
the external data system but also provides the 
components that display the data in Share- 
Point. Figure 5, page 50, shows a high-level 
example of BDC architecture (adapted from 
the MSDN website at msdn.microsoft.com/ 
en-us/library/ms499729.aspx). 

The BDC supports several mechanisms 


for retrieving data from 
back-end databases, includ¬ 
ing ADO.NET, OLEDB, 
and ODBC. The BDC also 
retrieves data from other sys¬ 
tems that can expose their 
data through Web Services. 
Creating a connection to an 
external data system isn't a 
point-and-click process with 
the BDC; it requires that you 
first describe the connection 
using metadata in an XML file 
called an application defini¬ 
tion file (ADF). This process 
requires an understanding of 
the back-end data system's 
APIs and the content struc¬ 
ture. 

Although you can techni¬ 
cally create a BDC connection to a back-end 
system using the ADF file and no custom 
coding, implementing a solution with the 
BDC isn't a trivial task—certainly not as 
trivial as connecting a Data View Web Part 
to a SQL Server database to pull fields from 
a table. I'm not trying to scare you away 
from using the BDC; just understand that 
the average SharePoint administrator might 
not have the background to establish such 
a connection and will likely need to work 



Figure 4: A project-tracking spreadsheet exposed with Excel Services 
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Figure 5: An example of BDC architecture 

collaboratively with the team managing the 
back-end systems. 

When the connection is established 
between SharePoint and the back-end sys¬ 
tem, the data from that back-end system 
can be exposed in SharePoint using several 
mechanisms, not the least of these being cus¬ 
tom coding. However, SharePoint includes 
several Business Data Web Parts that let it 
display data using BDC connections without 
having to create custom code. These include: 

• Business Data Actions—displays a list of 
actions associated with items in the BDC 

• Business Data Items—displays an item 
from a data source in the BDC 

• Business Data Item Builder—passes a 
business data item to other Web Parts 

• Business Data List—displays a list of 
items from a data source in the BDC 

• Business Data Related List—displays a list 
of items from one or more parent items 
from a data source in the BDC 

• Business Data Catalog Filter—filters the 
contents of connected Web Parts using a 
list of values from the BDC 

In addition to using the Business Data 
Web Parts to display BDC data, you can also 
create a new column in a SharePoint list to 


display data. When you add the column, you 
specify the BDC entity and its related proper¬ 
ties. Then, when you add a new item to the 
list, you pick the instance of the entity that you 
want to include in the list. SharePoint copies 
the data from the back-end system to the list. 
Because the actual data is copied to the list, 
rather than displayed as an external reference 
or link, you might occasionally need to refresh 
the data from the back-end system to the list. 
SharePoint provides a Refresh icon for the 
column name that you can click to return the 
data from the back-end system. 

In addition to displaying data from back¬ 
end systems in SharePoint portals, you can 
use SharePoint enterprise search to crawl 
back-end systems 
and return search 
results from those 
systems. This 
process involves 
registering the 
data source with 
the BDC, defining 
the appropriate 
metadata prop¬ 
erties, adding the 
content source in 
search, mapping 


crawled properties, and optionally creating 
a search scope or customized search pages 
specifically for the data. As with integrating 
external BDC data into a SharePoint portal, 
this process is certainly not point-and-click. 
Nevertheless, you can potentially incorpo¬ 
rate search of your back-end systems into 
SharePoint without writing any custom code. 
This capability can have a significant impact 
by enabling users to search across not just 
SharePoint or file servers but also multi¬ 
ple back-end LOB systems within a unified 
search interface. 

Pick the Best Method 

You can see that SharePoint provides a 
rich framework for integrating external data 
sources, whether it's as simple as bubbling 
up some SQL Server data in a Data View Web 
Part or as complex as pulling in data from 
your SAP or other LOB systems using the 
BDC. Some integration efforts can be as easy 
as clicking through a few wizards in Share- 
Point Designer and others could potentially 
require a business analyst, XML guru, and 
one or more subject matter experts on the 
back-end system's APIs and data structure. 

Regardless of the complexity, the first 
step, as in any development effort, is to 
clearly define the requirements. Having a 
clear understanding of what data you want 
to pull into SharePoint, how it needs to be 
displayed, and how users will interact with 
it will help you better plan the mechanics 
behind the scenes. ^ 
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PRODUCT 

Google Launches Free 
Phone Service 

Google launched its new Google Voice 
service, which is an updated version of 
the GrandCentral service it purchased 
almost two years ago. Google Voice 
provides users with a single phone 
number for all of your phones, free 
US-based phone calling, cheap inter¬ 
national calling, and other interesting 
features. It's only available for free in 
the United States right now, and only 
to those who had previously signed 
up for GrandCentral. A wider beta is 
expected soon. 

Google Voice is a pure cloud com¬ 
puting solution: There's no software to 
download, and you don't even have 
to use the service from your computer 
because it also works with mobile 
phones, landlines, and VoIP phones. 

Existing GrandCentral subscribers 
will gain access to Google Voice over 
time. (I have not yet gotten in, though 
I've had a GrandCentral account for 
quite some time.) Features include: 

Google Number. You receive a 
single local phone number from Google 
and can use it for all of your phone calls 
and SMS messages. This number can 
simultaneously ring multiple phones, 
including landlines, cell phones, and 
other numbers. Google Number 
includes call screening,"Listenin''(for 
listening before taking a call), call block¬ 
ing, SMS, free US phone calling, phone 
routing, and phone forwarding. 

Google voicemail. Google Voice 
can optionally make text transcripts 
of your voicemail and send notifica¬ 
tions via SMS or email. You can listen to 
voicemail online or from your phone, 
and forward or download voicemail. It 
also supports personalized greetings. 

Voice features. Google Voice also 
provides conference calling functional¬ 
ity, call recording, on-the-fly phone 
switching, a mobile inbox that's avail¬ 
able from your mobile device, GOOG- 
411 directory assistance integration, 
and group management. 

To learn more, visit www.google 
.com/voice/about. 


I 

NEW & IMPROVED B 

■ Virtualization ■ Security 

■ Exchange ■ Backup and Recovery 



KACE Adding Application 
Management to KBOX 

KACE Virtual Kontainers allows you to 
deploy and manage software by encap¬ 
sulating applications. Apps and their 
associated files are stored on individual 
workstations, but are kept in their own 
file structure and do not interact with 
the Windows registry. Management of 
Kontainers is done through a web-based 
console that allows you to deploy and 
manage applications and place limits on 
when they're executed. It can also track 
the number of users currently running an 
app, ensuring that you don't go over the 
limit when you have licenses for a certain 
number of users at a time. At press time, 
Virtual Kontainers was scheduled to be 
available as an addition to the KBOX on 
April 27, priced at $3,995 for 100 man¬ 
aged clients with discounts for additional 
clients. To learn more, call 877-646-8366 or 
visit www.kace.com. 

Outlook Add-On Automates 
Contact Management 

A new add-on for Microsoft Outlook called 
gwabbit has been released. The add-on 
automatically pulls signature informa¬ 
tion from email messages and creates 
("gwabs") Contacts for you. When you 
open a message or view it in the viewing 
pane, gwabbit scans it for contact informa¬ 
tion, checks your address book, and pops 
up a window asking if you want to add the 
contact if he or she isn't already in your 
address book. The only catch is that gwab- 
bit's automatic detection doesn't always 
work as smoothly if the signature informa¬ 
tion uses special formatting, gwabbit is 


available for $19.95; to learn more, visit 
www.gwabbit.com. 

ESET N0D32 Antivirus 4 Upgrades 
Protection 

ESET announced the release of new ver¬ 
sions of its NOD32 Antivirus and Smart 
Security products. The new versions add 
removable media security features and 
more advanced features for checking 
archives and seeking out rootkits. ESET's 
main focus is heuristic-based detection, 
which can sniff out malware based on 
its behavior, even without a signature. 
According to the vendor, ESET's small 
footprint makes it popular for use in virtual 
machines. For more information about 
ESET's products and free trials, call 
619-876-5400 or visit www.eset.com. 
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Use PowerShell to Manage 
Compellent SANs 

Having integrated Windows PowerShell 
scripting into its Storage Center SAN solu¬ 
tion, Compellent Technologies has cre¬ 
ated the Storage Center Command Set 
for PowerShell. This command set, which 
is available to all Compellent users free 
of charge, includes more than 60 cmdlets 
to automate server and storage manage¬ 
ment tasks, such as creating, naming, 
and configuring virtual machines; con¬ 
figuring snapshots of servers for backup 
and recovery; creating server-to-SAN 
mappings in high-availability clusters; 
creating storage in Microsoft Exchange 
environments; building Hyper-V servers 
from images stored on the SAN; and pro¬ 
visioning storage volumes in servers. The 
Storage Center Command Set's documen¬ 
tation includes sample scripts for com¬ 
mon operations. To learn more, visit 
www.compellent.com. 

Set-and-Forget Power- 
Management Solution 

To help companies manage their PCs' 
power consumption, New Boundary 
Technologies offers its Green IT Solution. 
Using New Boundary's Policy Commander 
(an automated policy management prod¬ 
uct) and PwrSmart technology, the Green 
IT Solution implements, monitors, and 
enforces power-management policies. 


Using drag-and-drop functionality, systems 
administrators can group computers and 
enforce the selected power-management 
policy on one or more computer groups. 
Alternatively, they can enforce the 
selected power-management policy on 
one or more computers. For more 
information, call 612-379-3805 or visit 
www.newboundary.com. 

New IT Automation Tools 

Two new versions of Kaseya's Kaseya 
Endpoint Security (KES) and Backup 
and Disaster Recovery (BU-DR) mod¬ 
ules are now available. KES 2.0 integrates 
with Kaseya's complete suite of IT auto¬ 
mation software, providing antivirus, 
antispyware, and rootkit protection at 
the user and database levels. BU-DR 
3.0 includes new functionality called 
Incremental Forever and Synthetic Full 
Backups. The Incremental Forever option 
backs up only the data that has changed 
since the previous full backup. Synthetic 
Full Backups combines an incremental 
backup with previous backups to create 
a new synthetic backup. BU-DR 3.0 also 
offers a new Instant Virtualization capa¬ 
bility that lets you remotely convert any 
backup to a VMware, ESX Server, or Vir¬ 
tual PC virtual disk. For more information 
about Kaseya's new modules, contact 
Kaseya at 415-694-5700 or go to 
www.kaseya.com. ^ 
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SUMMARIES of in-depth 
product reviews on Paul 
Thurrott's SuperSite for 
Windows 


Windows Server 2008 
Foundation 

Lowest-cost version of Windows 
Server yet 

CONS Lacks virtualization; works only with 
single-socket servers; sold only with new 
hardware 


RATING: 


♦♦♦♦ 


RECOMMENDATION: What I call 
"Foundation Server" is Microsoft's low- 
capacity, low-cost server OS, ranging from 
$150 to $200. It's similar to Windows Server 
2008 Standard Edition but supports only 
single-socket servers and no more than 15 
users, and it doesn't offer Hyper-V or sup¬ 
port for third-party virtualization solutions. 

It can be used in a new Active Directory 
domain but you can't add it to existing 
domains. Still, if you want to avoid the over¬ 
head or complexity of Small Business Server, 
Foundation Server's price is right. 

CONTACT Microsoft • 800-426-9400 • 
www.microsoft.com 

COr www.winsupersite.com/ 
server/foundation_preview.asp 


Amazon Kindle 2 

Most full-featured eBook reader on 
the market; free access to wireless store 

CONS Egregious upfront cost outweighs 
any benefits 


♦♦ 


RATING: 

RECOMMENDATION: I wanted to love 
Amazon's second-generation Kindle, as I've 
been using the device every day since late 
2007. But Kindle 2 is just as expensive as 
its predecessor and too expensive to justify 
the benefits. That's a shame, because the 
hardware and software are nearly perfect. 
Dedicated book lovers might overlook its 
$360 price, but others should wait until 
Amazon prices it like the mass-market con¬ 
sumer product it truly is. 

CONTACT Amazon • www.amazon.com 

DISCUSSIOI www.winsupersite.com/ 
mobile/kindle2.asp 
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REVIEW 


ASUS Eee PC 900A Netbook 


Unlike most computer hardware, with 
netbooks you don't get more processing 
power if you spend more. Check the specs 
on one of the high-end netbooks that cost 
more than most notebooks, and you'll find 
a 1.6GHz Intel Atom processor and 1GB 
of RAM. Check the specs on a 
$250, year-old netbook model, 
and you'll find a 1.6GHz Atom 
processor and 1 GB of RAM. You 
do have to make some compro¬ 
mises with low-end netbooks 
like the ASUS Eee PC 900A, but 
as far as raw power is concerned, 
the least expensive netbooks can 
do everything the most expen¬ 
sive ones can. 

Low-End Netbooks 
with Linux 

So what do you give up with an 
inexpensive netbook? One dif¬ 
ference you might see is that 
low-end netbooks often come 
with some variant of Linux 
instead of Windows XP. In the 
case of the 900A, it came with 
a specialized Xandros OS. 

That OS was great as long as 
all I wanted to do was run a 
web browser and do some 
basic document work. When I tried to tin¬ 
ker with the OS and install other software, 
however, I found Xandros frustrating and 
limiting. It's Linux, so you can't install your 
Windows applications, but the OS attempts 
to hide most of Linux's complexity and 
ends up hiding most of its customizability. 

I then installed a netbook edition of Ubuntu 
Linux and was more satisfied because it 
provided standard Linux features such as a 
package manager to install new software 
and more extensive control panels to cus¬ 
tomize the OS. 

SSD Storage 

The 900AI tested came with a small solid 
state disk (SSD) instead of a standard hard 
drive, which is both a strength and a weak¬ 
ness. This low-end model came with only 
a 4GB SSD, so you're essentially required to 
use the computer's Secure Digital (SD) card 


slot if you want to store anything beyond 
the OS and some basic applications. On the 
other hand, without a hard drive platter, 
the computer is nearly free of moving parts. 
The fan is all you'll hear when using this 
computer, and it's quiet most of the time. 


The SSD also supposedly helps with battery 
life, but the 900A's small battery gives only 
about three hours of typical usage. 

Small Keyboard, Great Trackpad 

I found the 900A's keyboard a bit small—I 
wouldn't want to type more than a couple 
paragraphs on it. Its trackpad, on the other, 
hand, is so good that I rarely wished for a 
mouse for web browsing and other tasks. Its 
secret is multitouch. If you use two fingers 
on the trackpad, it acts as a scrollwheel, 
three fingers tapping is a right-click, and 
two fingers spread apart is a middle-click. 
The left- and right-click buttons below the 
trackpad are actually just one long button 
and feel flimsy, as if they might break if you 
tried too hard to both right- and left-click 


simultaneously, but you rarely have to use 
them once you get used to the multitouch 
trackpad. 

The 900A's 8.9"screen is too small for 
many purposes, but most websites look fine 
on it. Like other netbooks, it lacks an optical 
drive, so you can't play DVDs, but 
video played on screen looks 
fine. 

Good Value—with 
Limitations 

I enjoy this netbook. As a por¬ 
table media player and web 
browser it works great, but its 
severely limited storage, Linux 
OS, and unimpressive battery life 
make it hard to recommend to 
everyone. If you know you can do 
everything you want on your net- 
book with Linux and you'll usually 
be near an electrical outlet, an 
inexpensive netbook like the Eee 
PC 900A provides great value. 

If you aren't willing to live with 
these limitations, though, you 
might find the 900A disappoint¬ 
ing and should look at a higher- 
end netbook or a standard 

laptop. ^ 

InstantDoc ID 101915 


Eee PC900A 

PROS: Small; light; inexpensive; same processor 
and RAM as more expensive netbooks; excellent 
multitouch trackpad 

CONS: Tiny storage space; unimpressive battery 
life; included Linux OS has some problems 

RATING: ♦♦♦00 

PRICE: About $250 

RECOMMENDATION: If you know that you'll 
be using it mostly for web access and will usually 
be near an outlet, the 900A is a great deal. But be 
certain you can live with its limited storage, rela¬ 
tively short battery life, and Linux OS. 

CONTACT: ASUSTek Computer • 888-678-3688 
• asus.com 
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REVIEW 


Diskeeper 2009 Professional 


Windows Vista's built-in defragmenter has 
some serious weaknesses. It barely has a 
Ul, doesn't optimize file placement, takes 
several passes to defragment a drive effec¬ 
tively, and doesn't really work when a drive 
has little free space. If these shortcomings 
bother you, and you want to replace the 
built-in defragmenter, Diskeeper 2009 
Professional is a good choice. 

Diskeeper does its job well. It defrag¬ 
ments in the background without hurting 
system performance, doesn't require defrag¬ 
mentation scheduling, and is polished 
and professional overall. Diskeeper 2009 
Professional edition is geared toward the 
typical office PC. On my office desktop, I 
didn't notice a performance improvement, 
but heavily used machines—especially 
servers—would probably see greater gains 
from Diskeeper products. 

Using Diskeeper 2009 
Professional 

Diskeeper's installation took about two min¬ 
utes and was painless. At this point I could 
have left Diskeeper alone; after it's installed, 
Diskeeper starts defragmenting your hard 
drive in the background.This is one of 
Diskeeper's best features and one that sets 
it apart from other defragmenting applica¬ 
tions. I never experienced any unusual slow¬ 
down when running Diskeeper. 

Shortly after installing Diskeeper, I had it 
analyze my hard drive. The analysis provides 
a colored chart of the disk's files, which Fig¬ 
ure 1 shows—something missing from Vis¬ 
ta's defragmenter. Diskeeper reported that it 
detected "moderate fragmentation" on my 
drive but on the same screen said my drive 
was "heavily fragmented." It also reported 
that by defragmenting the drive, Diskeeper 
would increase my disk's performance by 
1 percent. A 1 percent loss in performance 
doesn't strike me as notable fragmentation. 

Diskeeper also reported that its l-FAAST 
feature gave me an 18 percent performance 
gain by sequencing files for better perfor¬ 
mance. An 18 percent increase in disk per¬ 
formance could be huge on an in-demand 
server, but it wasn't noticeable on my 
desktop, as I rarely do anything that requires 
more than a few seconds of disk access. 


Glitches 

After using Diskeeper for a week, I encoun¬ 
tered several bugs. Diskeeper either deletes 
or hides the Microsoft Management Con¬ 
sole (MMC) Windows defragmenter snap-in, 
but it doesn't integrate itself into all the 
places the default defragmenter is inte¬ 
grated. For example, when I clicked Defrag¬ 
ment Now in a disk's properties in Windows 
Explorer, I got the error MMC cannot open 
the file C:\Progra~ 1 \Diskeeper. 

I also experienced a minor bug in the 
Diskeeper application itself. Every time 
I started the application, the dashboard 
displayed a yellow exclamation mark next 
to drive C and listed its health as Warning. 
When I clicked recommendations for the 
drive, Diskeeper reported that Master File 
Table (MFT) usage on the drive was 98 per¬ 
cent or higher and said to use Diskeeper's 
Frag Shield feature to automatically config¬ 
ure the MFT. However, I already had enabled 
Frag Shield. When I opened the Frag Shield 
options box, then closed it, the drive would 
show as Healthy until I closed the Diskeeper 
interface and reopened it. 

Try It Yourself 

If your hard disk has plenty of free space 
and you mostly use your computer for word 


processing and email, using Diskeeper 2009 
Professional probably won't noticeably 
improve your system's performance. Even 
so, the product provides a better Ul and 
more configuration options than the Win¬ 
dows defragmenter. If you want to squeeze 
every drop of performance out of your sys¬ 
tem, I recommend you download a free trial 

of Diskeeper and try it for yourself. ^ 
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Diskeeper 2009 Professional 

PROS: Simple to install; defragments disks with¬ 
out supervision; runs in the background without 
hurting system performance. 

CONS: Some minor bugs in the interface; mes¬ 
sages about performance are confusing; perfor¬ 
mance over the built-in defragmenter might be 
imperceptible for a typical office system. 

RATING: ♦♦♦♦O 

PRICE: $59.95 for one machine; volume licensing 
is available. 

RECOMMENDATION: If you've decided you 
need a disk defragmenter for your desktop 
other than the built-in Windows defragmenter, 
and you like the idea of continuous defragment¬ 
ing, Diskeeper 2009 Professional is a good 
choice. 

CONTACT: Diskeeper • www.diskeeper.com • 
818-771-1600 



Figure 1: Diskeeper analysis 


Zac Wiggy | zwiggy@windowsitpro.com 

■V 


54 JUNE 2009 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 





































P R 




I 

REVIEW 


Internet Explorer 8 

Long before Internet Explorer (IE) 8.0's highly 
anticipated release, we saw a lot of media 
coverage—most of which touted IE 8.0 as 
the best version of IE yet. In a predominantly 
Windows-based environment, especially with 
online or cloud products, IE offers the peace 
of mind of standard integration and compat¬ 
ibility. But I've always favored competing 
browsers (Mozilla Firefox and, more recently, 
Google Chrome). Nonetheless, I considered 
IE 8.0 with an open mind. 

Layout and Interface 

My impression of IE 8.0's layout is warm, but 
not hot. The top-matter—which includes 
the search bar, menu, tabs, and add-ons—is 
several layers deep, and most of the features 
don't seem that useful. Suggested Sites, for 
instance, is supposed to provide you with 
a list of similar sites. However, in my tests, it 
always produced fairly irrelevant links. IE 8.0 
also has two separate search bars, one for 
URLs and one for Google searches, which 
is much less efficient than Chrome's uni¬ 
fied search bar that automatically identifies 
whether the text you enter is a URL or a 
keyword search. 

One thing I like about the interface is 
that IE 8.0 automatically blackens the base 
URL of the site you're on, so you can quickly 
identify the site and verify that it's legitimate. 

In addition, an RSS feed icon lights up if RSS 
feeds are available, which saves you from 
having to look for the orange icon yourself. 
Clicking the icon redirects you to the site's 
RSS page on that site. Another cool function 
is Accelerators—you choose which Accel¬ 
erators you want to use (e.g., translate with 
Google Translator, blog with Live Writer), then 
simply right-click on a page to automatically 
translate it or create a blog on it. Figure 1 
shows an example of translating a web page. 
Finally, each new tab in IE 8.0 provides a list 
of recently closed tabs, which is quite useful. 

Performance 

IE 8.0 is faster than IE 7.0, about the same 
speed as Firefox 3.0, and a good bit slower 
than Apple's Safari 4.0 or Chrome Beta 
2. Like Firefox, IE 8.0 is especially slow on 
machines that are running a lot of other 
applications or have less than 1GB of RAM. 



Figure 1: Translating a website with the Windows Live Accelerator 


,o 

Enterprise Security 
Features 

The new enterprise secu¬ 
rity features are where 
IE 8.0 shines. InPrivate 
Browsing lets you surf 
the web without saving 
history or cookies. The 
SmartScreen feature 
automatically issues a 
warning for harmful or 
imposter sites; adminis¬ 
trators can configure IE 
8.0 to block these sites 
altogether. IE 8.0 also 
has Automatic Crash 
Recovery, which includes 
two significant changes 
from IE 7.0. First, if a 
tab crashes, only that 
tab crashes. Second, when you reload your 
browser or tab, IE 8.0 automatically redirects 
you to the site that crashed. Finally, the 
browser has two additional features that 
specifically prevent hacker invasion: Click- 
jack Prevention, which detects and disables 
clickjacking, and the Cross Site Scripting 
(XSS) Filter, which blocks XSS requests. 

Another IE 8.0 feature that other 
browsers lack is management through 
Group Policy. For more information about IE 
8.0 Group Policy support, go to technet 
.microsoft.com/en-us/library/cc985351.aspx. 

Standards Compliance 

One of the big deals about IE 8.0 is that it's 
more standards-compliant than IE 7.0. As 
any developer knows, developing for IE can 
be a nightmare and requires far more work 
than for any other browser. So, how does IE 
8.0 fare in tests that measure compliance? 

IE 8.0 passes the Acid2 test but fails Acid3. 
Microsoft has stated that the company 
purposely didn't support Acid3 in IE 8.0 
because Acid3 isn't yet an industry standard; 
however, it's probably good practice to have 
another browser handy in case you encoun¬ 
ter a web page that doesn't display cor¬ 
rectly. IE 8.0 also offers Compatibility View, 


which lets you properly view a site that was 
developed for IE 7.0. 

Overall 

After trying IE 8.0 for awhile, my conclusion 
is that it's vastly superior to IE 7.0. While I 
still prefer Chrome's speed and simplicity for 
my personal use, IE 8.0 is a very competent 
browser (for both enterprise and consumer 
use). Windows administrators will probably 
want their users to use IE 8.0 simply because 
its security is so robust. To download IE 
8.0, go to www.microsoft.com/windows/ 

Internet-explorer/default.aspx. ^ 
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Microsoft Internet Explorer 8.0 

PROS: Greatly enhanced security features; 
usability and interface are improved from IE 7.0 

CONS: Still behind in standards compliance; 
slower than Chrome and Safari 

RATING: 

PRICE: Free 

RECOMMENDATION: If you were using IE 7.0, 
switching to IE 8.0 is a no-brainer. The additional 
features make IE 8.0 compelling for enterprise 
use, but if you only want a simple and fast web 
browser, IE 8.0 might not be for you. 

CONTACT: Microsoft • www.microsoft.com 
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Savings! 


Reserve your unique web 
address today and save. 

Protect your personal information. 
Private domain registration, 
a 2 GB e-mail account, domain 
forwarding and a starter 
website-building tool are 
included for FREE! 


FIRST YEAR* 




WEB HOSTING 


Everything you need for a 
professional website. 

1&1 WebsiteBuilder, 1&1 E-mail 
Marketing Tool, Mailing List, 
Driving Directions, Photo Gallery, 
1&1 Blog and more! Search 
advertising vouchers are 
included with all plans! 



1&1 BUSINESS PACKAGE 

■ 3 domain names 

■ 2,500 e-mail accounts 

i 250 GB web space/ 2,500 GB monthly 
transfer volume 


transfervolume $9jyWm6nth 

$A.99 

£■■1 PER MONTH* 

(first 6 months) 


PREMIUM SERVERS 


Designed specifically for high performance needs. 

Our premium servers feature top-of-the-line 
AMD Opteron™ processors with energy efficient 
technology, reducing costs and environmental 
impact with increased performance- 
per-watt. 1&1 matches 100% of the 
energy consumed in our data center 
with Renewable Energy Certificates. 


1&1 BUSINESS SERVER II 

■ Dual-Core Opteron™ Processor 1218 

■ 2 x 2.6 GHz, 4 GB DDR RAM, 

2 x 500 GB hard drive 

■ RAID 1 included for FREE! 

$1§JLS!WiiiT>nth 
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INSIGHTS FROM THE INDUSTRY 


Microsoft MVPs Gather in Seattle 


Microsoft hosted 1500 IT professionals and 
developers for the 2009 Most Valuable Pro¬ 
fessional (MVP) Global Summit in Seattle in 
early March. The independent experts earn 
the MVP designation from Microsoft for 
sharing their expertise with the community 
and bringing customer feedback to the 
Microsoft product teams. The annual MVP 
Summit is a chance for Microsoft to gather 
this elite group and share ideas for product 
direction and recognize the contributions 
these independent experts make to the 
Windows ecosystem. 

I touched base with Group Policy MVP 
Darren Mar-Elia, Cluster MVP John Savill, 
SharePoint MVP Dan Holme, Exchange 
Server MVP Paul Robichaux, and Directory 
Services MVP Ethan Wilansky to see what 
being a Microsoft MVP means to them. 

What does the MVP status mean to you? 
How has it affected your career? 

John Savill: Being an MVP has enabled me 
to get inside access to the Microsoft teams 
that create the features I use day-to-day and 
write about. The MVP program has given 
me access to resources to learn the tech¬ 
nologies to the depth I need to help others 
understand them. 

Dan Holme: The opportunity to connect 
with other talented professionals and to 
interact directly with the product groups at 
Microsoft and actually have the chance to 
make a difference. 

Ethan Wilansky: The MVP award has 
become a recognized sign of technical 
achievement on the Microsoft platform. This 


has certainly been good for career distinc¬ 
tion. In addition, access to the Microsoft 
product groups has been invaluable for get¬ 
ting an early look at Microsoft software and 
playing a role in product direction. 

How does MVP status compare to a 
Microsoft certification? 

Dan Holme: MVP status recognizes com¬ 
munity contribution. While most MVPs are 
technically very deep, the MVP designation 
is not, itself, a technical designation. 

Paul Robichaux: Anyone who meets the 
requirements for a certification can earn 
one, but the MVP credential is only awarded 
to people based on a sustained effort to 
share knowledge with others in the com¬ 
munity. 

How has being an MVP affected your rela¬ 
tionship with Microsoft product teams? 
John Savill: I have a much better relation¬ 
ship with Microsoft in my particular area of 
expertise (Cluster). I am in touch with Micro¬ 
soft almost daily about high availability 
topics, and my MVP lead also helps me get 
access to other program teams. 

Dan Holme: I'm lucky to have an active 
and effective MVP Lead at Microsoft who 
has enabled me to better deliver solutions 
to the community and to my clients, and 
to better deliver customer feedback to the 
product team. 

Paul Robichaux: The product teams seek 
our detailed feedback, and they're happy 
to get it even when it amounts to us saying 
"you made a bad decision." 


When you become an MVP, does Micro¬ 
soft attempt to influence you or are you 
obligated to promote Microsoft products? 
Does Microsoft place any limitations on 
what you can say about their products? 
Ethan Wilansky: Microsoft does not obli¬ 
gate me in any way to promote their prod¬ 
ucts. It's really up to me. If I wasn't already 
passionate about my focus areas, there 
would be no reason to work on maintaining 
my status as an MVP. 

Paul Robichaux: Microsoft has never 
attempted to influence me, or any MVP that I 
know of, to say anything particular about their 
products. They do restrict what we can say by 
putting some topics under NDA. For example, 
I'm at the MVP Summit right now learning a 
ton about Exchange 14, but I can't share any of 
what I know until the NDA is lifted. 

Darren Mar-Elia: No, in fact they respect 
our independence. Plenty of MVPs were 
walking around the MVP Summit with 
iPhones and iPods. 

What advice would you have for some¬ 
one who wants to become an MVP? 

Ethan Wilansky: If you're passionate about 
Microsoft technology and can share your 
knowledge through writing (articles/blog¬ 
ging/newsgroups) or presenting at confer¬ 
ences, you are on your way. Stay focused, 
go deep, and avoid becoming a generalist. 
Writing for Windows IT Pro has been a great 
mechanism for sharing knowledge, and it 
has certainly played an important role in 
maintaining my MVP status. 

Darren Mar-Elia: Don't try. I didn't know 
what the MVP program was until I got this 
strange email notifying me of my award. 

The point is to help other people. Maybe 
you'll get an MVP and maybe you won't. But 
if your goal is to get an MVP award, I think 
it's the wrong goal. 

—Amy Eisenberg 
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Wanted: Your Real-World Experiences with Products 

Have you discovered a great product that saves you time and money? Do you use 
something you wouldn't wish on anyone? Tell the world in a review in 
What's Hot: Readers Review Hot Products. If we publish your opinion, we'll 
send you a Best Buy gift card and a free VIP subscription to Windows IT Pro! 

Send information about a product you use and whether it helps you or 
hinders you to whatshot@windowsitpro.com. 
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Establishing an Email Retention Policy: 
The Legal Perspective 


Recently, a lot of my coworkers across Pen- 
ton Media, Windows IT Pro's parent com¬ 
pany, woke up to a new—and potentially 
shocking—reality. No, I'm not talking about 
changes or layoffs because of the poor 
economy. I'm talking about tomes of saved 
email messages that suddenly aren't there 
anymore due to the implementation of a 
comprehensive document-retention policy. 
The policy covers all company documents, 
but it's the rules regarding email that are 
going to be most difficult for people to 
adjust to. 

The gist of Penton's new policy is that 
any email message older than six months 
will be automatically deleted—unless users 
move the message to one of a set of man¬ 
aged folders set up in Microsoft Office Out¬ 
look 2007 by the company's IT department. 
Each folder has a set time limit for reten¬ 
tion, and only documents with specific 
legal or business requirements are allowed 
in those folders. I recently spoke with Elise 
Zealand, vice president and corporate 
counsel for Penton Media, about the devel¬ 
opment and implementation of the new 
policy. 

Q: What's wrong with letting users 
decide what to keep? 

A: When you have longtime employees 
storing data in email for years on end, 
that's a cost problem and litigation risk 
problem. So what we wanted to do was 
make sure that everybody would be on the 
same page, that they would understand 
that there were clearly defined rules about 
data that needed to be retained, and 
unnecessary data would be deleted within 
a specified period of time. 

Q: How did you develop the policy for 
Penton? What resources did you con¬ 
sult? 

A: We actually got some outside help 
just to make sure that we were appropri¬ 
ately covering our bases. So we used an 
outside law firm to give us some of the 
parameters with regard to accounting and 
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finance, tax, employment, legal issues like 
contracts—just to make sure that we had 
a policy where we would have exceptions 
for automatic deletions for those kinds of 
documents. 

Q: How long did that process take? 

A: I would say that we really seriously 
started the process in the fall, and it prob¬ 
ably took from October/November until 
February to draft and implement the 
policy. And that was certainly with a lot of 
help and support from our IT department. 

Q: The policy states that the default hold 
period for email is six months, but other 
types of documents can be held for up 
to two years. Why is there a distinction? 

A: The bottom line is that most of the data 
that comes into a company now is on 
email. So the vast amount of data that we 
have is electronic data, which also means 
that the greatest amount of waste is prob¬ 
ably going to be on electronic data. I think 
people tend to retain email for a longer 
period of time than they do their hard¬ 
copy documents, because there's a limit 
to physical space and people are loath to 
create complicated filing systems for their 
hardcopy documents. 

Q: Many organizations take a conser¬ 
vative approach to email retention 
and archive everything, but Penton's 
policy puts the responsibility on each 
employee to move required messages to 
the appropriate retention folder. What 
are the implications of such a policy? 

A: We wanted to have a policy that was 
fairly aggressive—basically, the default 
rule is that your emails disappear in six 
months unless you are proactive in moving 
them into one of these exceptions folders, 
and the exceptions folders are very, very 
narrowly defined. There really has to be a 
legitimate business need or a legitimate 
legal or regulatory need for us to maintain 
that data. Otherwise the data goes. 

The cost of sifting through that volume 


of data is enormous. In cases where we 
don't have insurance coverage for attor¬ 
ney fees and costs, you could be looking 
at spending tens of millions of dollars on 
discovery in a lawsuit. It really hinders our 
ability to prosecute claims where we feel 
that there's been some business injury to 
Penton, or to be aggressive in defending 
ourselves in a court. 

Q: Are you confident employees will 
save what they're required to? 

A: I have very little doubt that we won't 
save what we need to save. As far as really, 
truly deleting unnecessary stuff, I think that 
this policy will take us half of the way there 
or more, I hope. And having an automatic 
deletion function on email is very, very 
helpful—that goes a long way. And then 
we will be auditing the managed folders 
just to make sure that we don't have users 
who are just moving everything in their 
Inbox into the managed folders. 

Q: How much did you work with the 
IT department to establish the policy 
and to set up things such as managed 
folders or other technical points of the 
implementation? 

A: In doing something like this, first you 
have your period of development of 
the policy where you're doing research, 
you're looking at other companies, you're 
talking to your IT department to decide 
how to best implement this. Once I had 
a draft policy in place, I went back to the 
IT department, gave them the policy, 
got their feedback, and then we really 
designed the implementation of the policy 
together. And it's been a work-in-progress. 
We've been tweaking it. Even after the roll¬ 
out of the policy, we've had to make some 
changes. 

Q: Whose responsibility will it be to 
audit the managed folders to ensure 
users are using them correctly? 

A: If we're going to conduct an audit, we'll 
do it together. We'll talk about the param- 
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eters of the audit together—that will be 
something legal and IT discuss before it's 
implemented. And then, although IT would 
have the technical responsibility to per¬ 
form the audit, we would create the audit 
parameters together. 

Q: Do you think employees will come 
around to see the benefits of the policy? 

A: Yes. It's a hassle to constantly be sifting 
through data, but it will become automatic. 
You'll save the things that must be saved, 
and the rest of it, let it go—it's just junk. 
And I'm probably one of the worst offend¬ 
ers. I still haven't cleaned out my Inbox, but 
I will. 

Q: Do you think that companies in 
general are doing a good job with docu¬ 
ment retention? 

A: This policy is really an attempt to be 
proactive—to ensure that we're not going 
to be one of the companies that's spending 


"Data is critical to 
our company, so it 
should be one of 
the highest 
priorities." 

—Elise Zealand, 
vice president and 
corporate counsel for 
Penton Media 

tens of millions of dollars in attorneys'fees. 
But having been a litigator for ten years, I 
have numerous stories of clients who didn't 
implement a policy until after they learned 
the hard way. I myself have managed teams 
of temporary attorneys at law firms who 
are working in shifts so that there's almost 


24 hours a day of reviewing time for federal 
court litigation and for justice department 
investigations that cost the client tens of 
millions of dollars. And it's wasteful, and it's 
a business interruption for the client. And it 
happens over and over again. 

Q: Any last words for IT pros on what 
they need to know or should be doing 
with records retention? 

A: I think that in companies where there 
isn't an in-house legal department, they 
can certainly be proactive in talking with 
their executive team about the need for a 
policy like this. They should focus on the 
benefits to the company in terms of cost- 
savings and risk management. Maybe it's 
not a burden that should fall on IT, but it 
really may be on them in the first instance 
to start talking to their executive commit¬ 
tee about the need for a program like this. 

—B.K. Winstead 
InstantDoc ID 101646 
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The Tech Behind Cisco's Unified Computing 


Cisco announced its new Unified Comput¬ 
ing System initiative, boasting that the 
company's new systems will combine 
computing, storage, virtualization, and 
networking. Cisco will soon begin selling 
blade servers, but assuming the company 
delivers everything it promised Monday, 
the fact that it's competing with companies 
like HP in that area is only part of the news. 
The initiative aims to make servers easier to 
deploy and manage, in large part through 
new networking ideas. 

Cisco's "wire once" capabilities combine 
what are usually separate networks for 
LAN, SAN, and computing into a single 
low-latency lOGbps network. The Unified 
Computing System can use technology 
such as SAN, NAS, iSCSI, Ethernet, Fibre 
Channel, and Fibre Channel over Ethernet 


to access storage, making storage simpler. 
The system should also greatly reduce I/O 
bottlenecks. 

The initiative aims 
to make servers 
easier to deploy and 
manage, in large 
part through new 
networking ideas. 

The other side of Cisco's Unified Com¬ 
puting is extensive use and support of 
virtualization. (See"VMware Signs up for 


Cisco Unified Computing System Initiative," 
www.windowsitpro.com, InstantDoc ID 
101700.) Cisco promised seamless move¬ 
ment of servers physically and virtually 
without service interruption. 

The hardware in the new Cisco blade 
systems is cutting edge but sticks mostly 
to standards. They'll use x86 processors, 
the new Nehalem-based Xeon processors. 
They'll also, as announced by Microsoft, 
run Windows Server OSs. Cisco officials 
said the systems will offer lower power 
consumption and need less cooling than 
existing systems. To learn more, visit Cisco's 
Unified Computing page at www.cisco 
.com/web/sol utions/data_center/ 
unifiedcomputing_promo.html. ^ 

—Zac Wiggy 
InstantDoc ID 101702 
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we started clamoring for a wearable computer. Check out Gla¬ 
cier Computer's Ridgeline W200 wearable computer: It wraps 
around the lower arm, weighs all of 10 ounces, and gives you 
a 3.5" color display and backlit keyboard—and it offers all the 
features of a standard computer. For more information, check 


out Glacier's website (www.glaciercomputer.com/w200.html). 


by Jason Bovberg 
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Considering the increasing success of smaller and more mobile 
computing devices such as the netbook and the iPhone—not to 
mention the renewed interest in Star Trek , thanks to JJ Abrams' 
recent franchise reboot—it was only a matter of time before 


by Brian Reinholz 


If OSs were people, what would their person¬ 
alities be like? Which one would most closely 
resemble you? From the following list, select 
the "personality" that most closely matches 
yours. See which OS you are at the bottom of 
the page. 

You work in a quiet, modest office, and gener¬ 
ally work overtime. Your desk is organized in a way that 
looks cluttered to most people, but you never have trouble 
finding what you want. You have a lot of pet projects that you do in your 
free time, which most people consider more work but you enjoy. You have 
a small, core group of friends. 

B.You believe that both internal and external appearance is important. 
You work hard and are reliable, but expect significant compensation for 
your efforts. Your home is impressive to the many visitors you host. You 
purchase brand-name products and designer clothing, citing quality over 
quantity. You believe creativity and innovation are extremely valuable. 

You're successful and popular, and give people what they want. You 
generally play by the rules, but can still have a good time. You work hard, 
but aren't afraid to cut a few corners. Being a very results-oriented person, 
you believe in doing what it takes to get a job done, rather than doing 
something for the sake of doing it. You believe life is a continuous journey 
of improvement, and you learn from your mistakes. 


If you didn't find a match among these three choices, you must be some kind 
of free spirit, such as Sun Solaris or FreeBSD. Maybe you're open source. 
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Data Execution Prevention helps protect against damage from viruses or other 
threats. Some programs might not run correctly when it is turned on. For 
an updated version of this program, contact the publisher. What else should I do? 
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